Professional Documents
Culture Documents
User Guide
Version 6.0
Contents
About This Guide .................................................................................................................................xi
Chapter 1: Introduction .......................................................................................................................1
About Your Check Point VPN-1 Edge Appliance ..............................................................................1
VPN-1 Edge Products .........................................................................................................................2
VPN-1 Edge Features and Compatibility............................................................................................3
Connectivity....................................................................................................................................3
Firewall ...........................................................................................................................................4
VPN ................................................................................................................................................5
Management....................................................................................................................................5
Optional Security Services..............................................................................................................6
Package Contents ............................................................................................................................6
Network Requirements ...................................................................................................................7
Getting to Know Your VPN-1 Edge X series Appliance ....................................................................8
Rear Panel .......................................................................................................................................8
Front Panel ......................................................................................................................................9
Getting to Know Your VPN-1 Edge W Series Appliance.................................................................11
Rear Panel .....................................................................................................................................11
Front Panel ....................................................................................................................................13
Contacting Technical Support...........................................................................................................15
Chapter 2: Installing and Setting up the VPN-1 Edge Appliance...................................................17
Before You Install the VPN-1 Edge Appliance ................................................................................17
Windows 2000/XP ........................................................................................................................18
Windows 98/Millennium ..............................................................................................................23
Mac OS .........................................................................................................................................28
Mac OS-X .....................................................................................................................................30
Wall Mounting the Appliance ...........................................................................................................32
Contents i
Contents
Using No Connection....................................................................................................................78
Setting Up a Dialup Modem .............................................................................................................85
Viewing Internet Connection Information ........................................................................................88
Enabling/Disabling the Internet Connection .....................................................................................90
Using Quick Internet Connection/Disconnection..............................................................................92
Configuring a Backup Internet Connection.......................................................................................92
Setting Up a LAN or Broadband Backup Connection ..................................................................92
Setting Up a Dialup Backup Connection ......................................................................................93
Chapter 5: Managing Your Network ................................................................................................95
Configuring Network Settings ..........................................................................................................95
Configuring a DHCP Server .........................................................................................................96
Changing IP Addresses ...............................................................................................................107
Enabling/Disabling Hide NAT....................................................................................................108
Configuring a DMZ Network......................................................................................................109
Configuring the OfficeMode Network........................................................................................111
Configuring VLANs ...................................................................................................................113
Configuring High Availability ........................................................................................................121
Configuring High Availability on a Gateway .............................................................................123
Sample Implementation on Two Gateways.................................................................................127
Adding and Editing Network Objects .........................................................................................131
Viewing and Deleting Network Objects .....................................................................................139
Using Static Routes.........................................................................................................................140
Adding and Editing Static Routes ...............................................................................................140
Viewing and Deleting Static Routes ...........................................................................................145
Managing Ports ...............................................................................................................................146
Viewing Port Statuses .................................................................................................................147
Modifying Port Assignments ......................................................................................................148
Contents iii
Contents
Contents v
Contents
Contents vii
Contents
Contents ix
About Your Check Point VPN-1 Edge Appliance
Note: Notes are denoted by indented text and preceded by the Note icon.
Warning: Warnings are denoted by indented text and preceded by the Warning icon.
Each task is marked with a product bar indicating the VPN-1 Edge products
required to perform the task. If you cannot perform the task using a particular
product, that product is crossed out. For example, the product bar below indicates a
task that requires VPN-1 Edge W8, W16, W32, or WU.
Chapter 1
Introduction
This chapter introduces the Check Point VPN-1 Edge appliance and this guide.
This chapter includes the following topics:
About Your Check Point VPN-1 Edge Appliance........................................1
VPN-1 Edge Products...................................................................................2
VPN-1 Edge Features and Compatibility .....................................................3
Getting to Know Your VPN-1 Edge X series Appliance .............................8
Getting to Know Your VPN-1 Edge W Series Appliance..........................11
Contacting Technical Support ....................................................................15
Chapter 1: Introduction 1
VPN-1 Edge Products
You can also connect VPN-1 Edge appliances to security services available from
select service providers, including firewall security and software updates, Web
Filtering, reporting, VPN management, and Dynamic DNS. Business users can use
the VPN-1 Edge appliance to securely connect to the corporate network.
Chapter 1: Introduction 3
VPN-1 Edge Features and Compatibility
Firewall
All VPN-1 Edge models have the following features:
• Check Point Firewall-1 Embedded NGX firewall with Application
Intelligence
• Intrusion Detection and Prevention using Check Point SmartDefense
• Network Address Translation (NAT)
• Three preset security policies
• Unlimited INSPECT Policy Rules
• Anti-spoofing
• Voice over IP (H.323) support
• Instant messenger blocking/monitoring
• P2P file sharing blocking/monitoring
VPN
All VPN-1 Edge models have the following features:
• Remote Access VPN Server with OfficeMode and RADIUS support
• Remote Access VPN Client
• Site-to-Site VPN Gateway
• IPSEC VPN pass-through
• Algorithms: AES/3DES/DES, SHA1/MD5
• Hardware Based Secure RNG (Random Number Generator)
• IPSec NAT traversal (NAT-T)
• Route-based VPN
• Backup VPN gateways
Management
All VPN-1 Edge models have the following features:
• Management via HTTP, HTTPS, SSH, SNMP, Serial CLI
• Central Management: Check Point SmartCenter, Check Point SmartLSM,
Check Point SmartUpdate, CheckPoint Provider-1, SofaWare SMP
• NTP automatic time setting
• TFTP Rapid Deployment
• Local diagnostics tools: Ping, WHOIS, Packet Sniffer, VPN Tunnel
Monitor, Connection Table Monitor, Wireless Monitor, Active Computers
Display, Local Logs
Chapter 1: Introduction 5
VPN-1 Edge Features and Compatibility
Package Contents
All VPN-1 Edge series include the following:
• VPN-1 Edge Internet Security Appliance
• Power adapter
• CAT5 Straight-through Ethernet cable
• Getting Started Guide
• This Users Guide
The VPN-1 Edge W series also includes:
• Two antennas
• Wall mounting kit, including two plastic conical anchors and two cross-
head screws
• USB extension cable
Network Requirements
• A broadband Internet connection via cable or DSL modem with Ethernet
interface (RJ-45)
• 10BaseT or 100BaseT Network Interface Card installed on each computer
• TCP/IP network protocol installed on each computer
• Internet Explorer 5.0 or higher, or Netscape Navigator 4.7 and higher
• CAT 5 STP (Category 5 Shielded Twisted Pair) Straight Through Ethernet
cable for each attached device
Note: The VPN-1 Edge appliance automatically detects cable types, so you can use
either a straight-through or crossed cable, when cascading an additional hub or
switch to the VPN-1 Edge appliance.
Note: For optimal results, it is highly recommended to use either Microsoft Internet
Explorer 5.5 or higher, or Mozilla Firefox 1.0 or higher.
Chapter 1: Introduction 7
Getting to Know Your VPN-1 Edge X series Appliance
Rear Panel
The following figure shows the VPN-1 Edge X series appliance's rear panel. All
physical connections (network and power) to the VPN-1 Edge appliance are made
via the rear panel of your VPN-1 Edge appliance.
Label Description
PWR A power jack used for supplying power to the unit. Connect the supplied power
adapter to this jack.
Label Description
RESET A button used for rebooting the VPN-1 Edge appliance or resetting the VPN-1
Edge appliance to its factory defaults. You need to use a pointed object to press
this button.
RS-232 A serial port used for connecting computers in order to access the VPN-1 Edge
CLI (Command Line Interface), or for connecting an external dialup modem
WAN Wide Area Network: An Ethernet port (RJ-45) used for connecting your cable or
xDSL modem, or for connecting a hub when setting up more than one Internet
connection
DMZ/ A dedicated Ethernet port (RJ-45) used to connect a DMZ (Demilitarized Zone)
WAN2 computer or network. Alternatively, can serve as a secondary WAN port , or as a
VLAN trunk.
LAN 1-4 Local Area Network switch: Four Ethernet ports (RJ-45) used for connecting
computers or other network devices
Front Panel
The VPN-1 Edge X appliances includes several status LEDs that enable you to
monitor the appliance’s operation.
Chapter 1: Introduction 9
Getting to Know Your VPN-1 Edge X series Appliance
For an explanation of the VPN-1 Edge X appliance’s status LEDs, see the table
below.
On (Red) Error
Rear Panel
All physical connections (network and power) to the VPN-1 Edge appliance are
made via the rear panel of your VPN-1 Edge appliance.
Label Description
PWR A power jack used for supplying power to the unit. Connect the supplied power
adapter to this jack.
Chapter 1: Introduction 11
Getting to Know Your VPN-1 Edge W Series Appliance
Label Description
RESET A button used for rebooting the VPN-1 Edge appliance or resetting the VPN-1
Edge appliance to its factory defaults. You need to use a pointed object to press
this button.
USB Two USB 2.0 ports used for connecting USB-based printers
RS232 A serial (RS-232) port used for connecting computers in order to access the VPN-
1 Edge CLI (Command Line Interface), or for connecting an external dialup
modem
WAN Wide Area Network: An Ethernet port (RJ-45) used for connecting your cable or
xDSL modem, or for connecting a hub when setting up more than one Internet
connection
DMZ/ A dedicated Ethernet port (RJ-45) used to connect a DMZ (Demilitarized Zone)
WAN2 computer or network. Alternatively, can serve as a secondary WAN port , or as a
VLAN trunk.
LAN 1-4 Local Area Network switch: Four Ethernet ports (RJ-45) used for connecting
computers or other network devices
Front Panel
The VPN-1 Edge W appliance includes several status LEDs that enable you to
monitor the appliance’s operation.
Chapter 1: Introduction 13
Getting to Know Your VPN-1 Edge W Series Appliance
On (Red) Error
Chapter 1: Introduction 15
Before You Install the VPN-1 Edge Appliance
Chapter 2
Windows 2000/XP
Note: While Windows XP has an "Internet Connection Firewall" option, it is
recommended to disable it if you are using a VPN-1 Edge appliance, since the
VPN-1 Edge appliance offers better protection.
3. Right-click the icon and select Properties from the pop-up menu that
opens.
4. In the above window, check if TCP/IP appears in the components list and if it is
properly configured with the Ethernet card, installed on your computer. If
TCP/IP does not appear in the Components list, you must install it as described in
the next section.
TCP/IP Settings
1. In the Local Area Connection Properties window double-click the Internet
Protocol (TCP/IP) component, or select it and click Properties.
The Internet Protocol (TCP/IP) Properties window opens.
(Note that 192.168.10 is the default value, and it may vary if you changed it in the
My Network page.)
Windows 98/Millennium
Checking the TCP/IP Installation
1. Click Start > Settings > Control Panel.
The Control Panel window appears.
3. In the Network window, check if TCP/IP appears in the network components list
and if it is already configured with the Ethernet card, installed on your
computer.
3. In the Manufacturers list choose Microsoft, and in the Network Protocols list
choose TCP/IP.
4. Click OK.
If Windows asks for original Windows installation files, provide the installation
CD and relevant path when required (e.g. D:\win98)
5. Restart your computer if prompted.
TCP/IP Settings
Note: If you are connecting your VPN-1 Edge appliance to an
existing LAN, consult your network manager for the correct
configurations.
1. In the Network window, double-click the TCP/IP service for the Ethernet card,
which has been installed on your computer
(e.g. ).
The TCP/IP Properties window opens.
3. Click the DNS Configuration tab, and click the Disable DNS radio button.
4. Click the IP Address tab, and click the Obtain an IP address automatically radio
button.
(Note that 192.168.10 is the default value, and it may vary if you
changed it in the My Network page.)
5. Click Yes when prompted for “Do you want to restart your computer?”.
Your computer restarts, and the new settings to take effect.
Your computer is now ready to access your VPN-1 Edge appliance.
Mac OS
Use the following procedure for setting up the TCP/IP Protocol.
Mac OS-X
Use the following procedure for setting up the TCP/IP Protocol.
1. Choose Apple -> System Preferences.
The System Preferences window appears.
2. Click Network.
The Network window appears.
3. Click Configure.
4. Click the Configure IPv4 drop-down list, and select Using DHCP.
5. Click Apply Now.
If desired, you can mount your VPN-1 Edge W series appliance on the wall.
Note: Mounting the appliance facing downwards is not recommended, as dust might
accumulate in unused ports.
3. Mark two drill holes on the wall, in accordance with the following sketch:
Note: The conical anchors you received with your VPN-1 Edge appliance are
suitable for concrete walls. If you want to mount the appliance on a plaster wall, you
must use anchors that are suitable for plaster walls.
6. Insert the two screws you received with your VPN-1 Edge appliance into the
plastic conical anchors, and turn them until they protrude approximately 5 mm
from the wall.
7. Align the holes on the VPN-1 Edge appliance's underside with the screws on the
wall, then push the appliance in and down.
Your VPN-1 Edge appliance is wall mounted. You can now connect it to your
computer. See Network Installation on page 37.
The VPN-1 Edge W series features a security slot to the rear of the right panel,
which enables you to secure your appliance against theft, using an anti-theft
security device.
Note: Anti-theft security devices are available at most computer hardware stores.
This procedure explains how to install a looped security cable on your appliance. A
looped security cable typically includes the parts shown in the diagram below.
While these parts may differ between devices, all looped security cables include a
bolt with knobs, as shown in the diagram below:
4. Insert the bolt into the VPN-1 Edge appliance's security slot, then slide the bolt
to the Closed position until the the bolts holes are aligned.
5. Thread the anti-theft device's pin through the bolt’s holes, and insert the pin into
the main body of the anti-theft device, as described in the documentation that
came with your device.
Network Installation
1. Verify that you have the correct cable type.
For information, see Network Requirements.
2. Connect the LAN cable:
• Connect one end of the Ethernet cable to one of the LAN ports at the back
of the unit.
• Connect the other end to PCs, hubs, or other network devices.
3. Connect the WAN cable:
• Connect one end of the Ethernet cable to the WAN port at the back of the
unit.
• Connect the other end of the cable to a Cable Modem, xDSL modem or
office network.
4. Connect the power adapter to the power socket, labeled PWR, at the back of the
VPN-1 Edge appliance.
5. Plug the power adapter into the wall electrical outlet.
Warning: The VPN-1 Edge appliance power adapter is compatible with either 100,
120 or 230 VAC input power. Verify that the wall outlet voltage is compatible with
the voltage specified on your power adapter. Failure to observe this warning may
result in injuries or damage to equipment.
After you have installed the VPN-1 Edge appliance, you must set it up using the
steps shown below.
When setting up your VPN-1 Edge appliance for the first time after installation,
these steps follow each other automatically. After you have logged on and set up
your password, the VPN-1 Edge Setup Wizard automatically opens and displays
the dialog boxes for configuring your Internet connection. After you have
configured your Internet connection, the Setup Wizard automatically displays the
dialog boxes for registering your VPN-1 Edge appliance. If desired, you can exit
the Setup Wizard and perform each of these steps separately.
You can access the Setup Wizard at any time after initial setup, using the procedure
below.
Chapter 3
Getting Started
This chapter contains all the information you need in order to get started using your
VPN-1 Edge appliance.
This chapter includes the following topics:
Initial Login to the VPN-1 Edge Portal ......................................................41
Logging on to the VPN-1 Edge Portal........................................................44
Accessing the VPN-1 Edge Portal Remotely Using HTTPS......................46
Using the VPN-1 Edge Portal.....................................................................48
Logging off.................................................................................................53
The first time you log on to the VPN-1 Edge Portal, you must set up your
password.
2. Type a password both in the Password and the Confirm Password fields.
Note: You can change your password at any time. For further information, see
Changing Your Password.
3. Click OK.
The VPN-1 Edge Setup Wizard opens, with the Welcome page displayed.
Note: By default, HTTP and HTTPS access to the VPN-1 Edge Portal is not allowed
from the WLAN, unless you do one of the following:
• Configure a specific firewall rule to allow access from the WLAN. See
Using Rules on page 212.
Or
• Enable HTTPS access from the Internet. See Configuring HTTPS on
page 404.
You can access the VPN-1 Edge Portal remotely (from the Internet) through
HTTPS. HTTPS is a protocol for accessing a secure Web server. It is used to
transfer confidential user information. If desired, you can also use HTTPS to access
the VPN-1 Edge Portal from your internal network.
Note: In order to access the VPN-1 Edge Portal remotely using HTTPS, you must
first do both of the following:
• Configure your password, using HTTP. See Initial Login to the VPN-1
Edge Portal on page 41.
• Configure HTTPS Remote Access. See Configuring HTTPS on page
404.
Note: Your browser must support 128-bit cipher strength. To check your browser's
cipher strength, open Internet Explorer and click Help > About Internet Explorer.
• Browse to https://my.firewall.
(Note that the URL starts with “https”, not “http”.)
The VPN-1 Edge Portal appears.
• Browse to https://<firewall_IP_address>:981.
(Note that the URL starts with “https”, not “http”.)
The following things happen in the order below:
If this is your first attempt to access the VPN-1 Edge Portal through HTTPS, the
certificate in the VPN-1 Edge appliance is not yet known to the browser, so the
Security Alert dialog box appears.
To avoid seeing this dialog box again, install the certificate of the destination
VPN-1 Edge appliance. If you are using Internet Explorer 5, do the following:
a. Click View Certificate.
The Certificate dialog box appears, with the General tab displayed.
b. Click Install Certificate.
The Certificate Import Wizard opens.
c. Click Next.
d. Click Next.
e. Click Finish.
f. Click Yes.
g. Click OK.
Element Description
Main menu Used for navigating between the various topics (such as Reports, Security,
and Setup).
Main frame Displays information and controls related to the selected topic. The main
frame may also contain tabs that allow you to view different pages related to
the selected topic.
Status bar Shows your Internet connection and managed services status.
Main Menu
The main menu includes the following submenus.
Security Provides controls and options for setting the security of any computer in
the network.
Network Allows you to manage and configure your network settings and Internet
connections.
Setup Provides a set of tools for managing your VPN-1 Edge appliance. Allows
you to upgrade your license and firmware and to configure HTTPS
access to your VPN-1 Edge appliance.
Main Frame
The main frame displays the relevant data and controls pertaining to the menu and
tab you select. These elements sometimes differ depending on what model you are
using. The differences are described throughout this guide.
Status Bar
The status bar is located at the bottom of each page. It displays the fields below, as
well as the date and time.
Note: You can configure both a primary and a secondary Internet connection.
When both connections are configured, the Status bar displays both statuses.
For example “Internet [Primary]: Connected”. For information on configuring a
secondary Internet connection, see Configuring the Internet Connection on
page 55.
Logging off
• If you are connected through HTTPS, the Logout option does not appear
in the main menu. Close the browser window.
Chapter 4
Overview
You must configure your Internet connection before you can access the Internet
through the VPN-1 Edge appliance. You can configure your Internet connection
using any of the following setup tools:
• Setup Wizard. Guides you through the VPN-1 Edge appliance setup step by
step. The first part of the Setup Wizard is the Internet Wizard. For further
information on the Setup Wizard, see Setting Up the VPN-1 Edge
Appliance.
• Internet Wizard. Guides you through the Internet connection configuration
process step by step.
• Internet Setup. Offers advanced setup options. If you are using VPN-1
Edge X or W, you can do any of the following:
• Configure two Internet connections.
The Internet Wizard allows you to configure your VPN-1 Edge appliance for
Internet connection quickly and easily through its user-friendly interface. It lets you
to choose between the following three types of broadband connection methods:
• Direct LAN Connection
• Cable Modem
• PPTP or PPPoE dialer
Note: The first time you log on to the VPN-1 Edge Portal, the Internet Wizard starts
automatically as part of the Setup Wizard. In this case, you should skip to step 3 in
the procedure below.
3. Click Next.
The Internet Connection Method dialog box appears.
4. Select the Internet connection method you want to use for connecting to the
Internet.
Note: If you selected PPTP or PPPoE dialer, do not use your dial-up software to
connect to the Internet.
5. Click Next.
1. Click Next.
The system attempts to connect to the Internet via the selected connection.
The Connecting… screen appears.
2. Click Finish.
1. If your ISP requires a specific hostname for authentication, type it in the Host
Name field.
The ISP will supply you with the proper hostname, if required. Most ISPs do not
require a specific hostname.
2. A MAC address is a 12-digit identifier assigned to every network device. If your
ISP restricts connections to specific, recognized MAC addresses, they will
instruct you to enter the MAC address. Otherwise, you may leave this field
blank.
If your ISP requires the MAC address, do either of the following:
• Click This Computer to automatically "clone" the MAC address of your
computer to the VPN-1 Edge appliance.
Or
• If the ISP requires authentication using the MAC address of a different
computer, enter the MAC address in the MAC cloning field.
3. Click Next.
Note: Most xDSL providers use PPPoE. If you are uncertain regarding which
connection method to use contact your xDSL provider.
2. Click Next.
Using PPPoE
If you selected the PPPoE connection method, the DSL Configuration dialog box
appears.
Using PPTP
If you selected the PPTP connection method, the DSL Configuration dialog box
appears.
Internal IP Type the local IP address required for accessing the PPTP modem.
3. From the Connection Type drop-down list, select the Internet connection type
you are using/intend to use.
The display changes according to the connection type you selected.
The following steps should be performed in accordance with the connection type
you have chosen.
1. Complete the fields using the relevant information in Internet Setup Fields on
page 78.
New fields appear, depending on the check boxes you selected.
2. Click Apply.
The VPN-1 Edge appliance attempts to connect to the Internet, and the Status
Bar displays the Internet status “Connecting”. This may take several seconds.
Once the connection is made, the Status Bar displays the Internet status
“Connected”.
1. Complete the fields using the relevant information in Internet Setup Fields on
page 78.
2. Click Apply.
The VPN-1 Edge appliance attempts to connect to the Internet, and the Status
Bar displays the Internet status “Connecting”. This may take several seconds.
Once the connection is made, the Status Bar displays the Internet status
“Connected”.
1. Complete the fields using the relevant information in Internet Setup Fields on
page 78.
2. Click Apply.
The VPN-1 Edge appliance attempts to connect to the Internet, and the Status
Bar displays the Internet status “Connecting”. This may take several seconds.
Once the connection is made, the Status Bar displays the Internet status
“Connected”.
1. Complete the fields using the relevant information in Internet Setup Fields on
page 78.
2. Click Apply.
The VPN-1 Edge appliance attempts to connect to the Internet, and the Status
Bar displays the Internet status “Connecting”. This may take several seconds.
Once the connection is made, the Status Bar displays the Internet status
“Connected”.
1. Complete the fields using the relevant information in Internet Setup Fields on
page 78.
2. Click Apply.
The VPN-1 Edge appliance attempts to connect to the Internet, and the Status
Bar displays the Internet status “Connecting”. This may take several seconds.
Once the connection is made, the Status Bar displays the Internet status
“Connected”.
1. Complete the fields using the relevant information in Internet Setup Fields on
page 78.
2. Click Apply.
The VPN-1 Edge appliance attempts to connect to the Internet, and the Status
Bar displays the Internet status “Connecting”. This may take several seconds.
Once the connection is made, the Status Bar displays the Internet status
“Connected”.
Using No Connection
If you do not have an Internet connection, set the connection type to None.
• Click Apply.
If your ISP has not provided you with a service name, leave this field
empty.
Server IP If you selected PPTP, type the IP address of the PPTP server as given
by your ISP.
Phone Number If you selected Dialup, type the phone number that the modem should
dial, as given by your ISP.
Connect on Select this option if you do not want the dialup modem to be constantly
demand connected to the Internet. The modem will dial a connection only under
certain conditions.
When no higher Select this option to specify that the dialup modem should only dial a
priority connection connection if no other connection exists, and the VPN-1 Edge appliance
is available is not acting as a Backup appliance.
On outgoing Select this option to specify that the dialup modem should only dial a
activity connection if no other connection exists, and there is outgoing activity
(that is, packets need to be transmitted to the Internet).
Idle timeout Type the amount of time (in minutes) that the connection can remain idle.
Once this period of time has elapsed, the dialup modem will disconnect.
Obtain IP address Clear this option if you do not want the VPN-1 Edge appliance to obtain
automatically an IP address automatically using DHCP.
(using DHCP)
Subnet Mask Select the subnet mask that applies to the static IP address of your VPN-
1 Edge appliance.
Name Servers
Obtain Domain Clear this option if you want the VPN-1 Edge appliance to obtain an IP
Name Servers address automatically using DHCP, but not to automatically configure
automatically DNS servers.
Obtain WINS Clear this option if you want the VPN-1 Edge appliance to obtain an IP
Server address automatically using DHCP, but not to automatically configure the
automatically WINS server.
QoS
Shape Upstream: Select this option to enable Traffic Shaper for outgoing traffic. Then type
Link Rate a rate (in kilobits/second) slightly lower than your Internet connection's
maximum measured upstream speed in the field provided.
Shape Select this option to enable Traffic Shaper for incoming traffic. Then type
Downstream: Link a rate (in kilobits/second) slightly lower than your Internet connection's
Rate maximum measured downstream speed in the field provided.
Advanced
External IP If you selected PPTP, type the IP address of the PPTP client as given by
your ISP.
If you selected PPPoE, this field is optional, and you do not have to fill it
in unless your ISP has instructed you to do so.
MTU This field allows you to control the maximum transmission unit size.
MAC Cloning A MAC address is a 12-digit identifier assigned to every network device. If
your ISP restricts connections to specific, recognized MAC addresses, you
must select this option to clone a MAC address.
Hardware MAC This field displays the VPN-1 Edge appliance's MAC address.
Address
This field is read-only.
Note: In the secondary Internet connection, this field is enabled only if the
DMZ/WAN2 port is set to WAN2.
High Availability
Do not connect if If you are using High Availability (HA), select this option to specify that the
this gateway is in gateway should connect to the Internet only if it is the Active Gateway in
passive state the HA cluster.
Dead Connection
Detection
Probe Next Hop Select this option to automatically detect loss of connectivity to the default
gateway. If you selected LAN, this is done by sending ARP requests to the
default gateway. If you selected PPTP, PPPoE, or Dialup, this is done by
sending PPP echo reply (LCP) messages to the PPP peer.
Connection Probing While the Probe Next Hop option checks the availability of the next hop
Method router, which is usually at your ISP, connectivity to the next hop router
does not always indicate that the Internet is accessible. For example, if
there is a problem with a different router at the ISP, the next hop will be
reachable, but the Internet might be inaccessible. Connection probing is a
way to detect Internet failures that are more than one hop away.
Specify what method to use for probing the connection, by selecting one
of the following:
1, 2, 3 If you chose the Ping Addresses connection probing method, type the IP
addresses or DNS names of the desired servers.
If you chose the Probe VPN Gateway (RDP) connection probing method, type
the IP addresses or DNS names of the desired VPN gateways.
Initialization String Type the installation string for the custom modem type.
Port Speed Select the modem's port speed (in bits per second).
For an explanation of the fields on this page, see the table below.
2. To refresh the information on this page, click Refresh.
Field Description
Duration Indicates the connection duration, if active. The duration is given in the
format hh:mm:ss, where:
hh=hours
mm=minutes
ss=seconds
Received Packets The number of data packets received in the active connection.
Sent Packets The number of data packets sent in the active connection.
You can temporarily disable an Internet connection. This is useful if, for example,
you are going on vacation and do not want to leave your computer connected to the
Internet. If you have two Internet connections, you can force the VPN-1 Edge
appliance to use a particular connection, by disabling the other connection.
The Internet connection’s Enabled/Disabled status is persistent through VPN-1
Edge appliance reboots.
Note: You can configure different DNS servers for the primary and secondary
connections. The VPN-1 Edge appliance acts as a DNS relay and routes requests
from computers within the network to the appropriate DNS server for the active
Internet connection.
Important: The two connections can be of different types. However, they cannot both
be LAN DHCP connections.
If desired, you can use a dialup modem as the secondary Internet connection
method. The VPN-1 Edge appliance automatically dials the modem if the primary
Internet connection fails.
Chapter 5
Note: If you change the network settings to incorrect values and are unable to
correct the error, you can reset the VPN-1 Edge appliance to its default settings.
See Resetting the VPN-1 Edge appliance to Defaults on page 432.
Note: The DHCP server only serves computers that are configured to obtain an IP
address automatically. If a computer is not configured to obtain an IP address
automatically, it is recommended to assign it an IP address outside of the DHCP
address range. If you do assign it an IP address within the DHCP address range,
the DHCP server will not assign this IP address to another computer.
If you already have a DHCP server in your internal network, and you want to use it
instead of the VPN-1 Edge DHCP server, you must disable the VPN-1 Edge DHCP
server, since you cannot have two DHCP servers or relays on the same network
segment.
If you want to use a DHCP server on the Internet or via a VPN, instead of the
VPN-1 Edge DHCP server, you can configure DHCP relay. When in DHCP relay
mode, the VPN-1 Edge appliance relays information from the desired DHCP server
to the devices on your network.
Note: You can perform DHCP reservation using network objects. For information,
see Using Network Objects on page 130.
You can enable and disable the VPN-1 Edge DHCP Server for internal networks.
Note: Enabling and disabling the DHCP Server is not available for the OfficeMode
network.
By default, the VPN-1 Edge DHCP server automatically sets the DHCP address
range. The DHCP address range is the range of IP addresses that the DHCP server
can assign to network devices. IP addresses outside of the DHCP address range are
reserved for statically addressed computers.
If desired, you can set the VPN-1 Edge DHCP range manually.
Note: Setting the DHCP range manually is not available for the OfficeMode network.
Note: DHCP relay will not work if the appliance is located behind a NAT device.
Note: Configuring DHCP options is not available for the OfficeMode network.
The Automatic DHCP range check box is disabled, and the Relay to IP field
appears.
4. In the Relay to IP field, type the IP address of the desired DHCP server.
5. Click Apply.
A warning message appears.
6. Click OK.
A success message appears
7. If your computer is configured to obtain its IP address automatically (using
DHCP), and either the VPN-1 Edge DHCP server or another DHCP server is
enabled, restart your computer.
Your computer obtains an IP address in the DHCP address range.
If desired, you can configure the following custom DHCP options for an internal
network:
• Domain suffix
• DNS servers
• WINS servers
• NTP servers
• VoIP call managers
• TFTP server and boot filename
Note: Configuring DHCP options is not available for the DMZ or VLANs.
4. Complete the fields using the relevant information in the table below.
5. Click Apply.
6. If your computer is configured to obtain its IP address automatically (using
DHCP), restart your computer.
Your computer obtains an IP address in the DHCP address range.
Domain Name Type a default domain suffix that should be passed to DHCP clients.
The DHCP client will automatically append the domain suffix for the
resolving of non-fully qualified names. For example, if the domain suffix
is set to "mydomain.com", and the client tries to resolve the name
“mail”, the suffix will be automatically appended to the name, resulting
in “mail.mydomain.com”.
Name Servers
Automatically assign Clear this option if you do not want the gateway to act as a DNS relay
DNS server server and pass its own IP address to DHCP clients.
(recommended)
Normally, it is recommended to leave this option selected.
DNS Server 1, 2 Type the IP addresses of the Primary and Secondary DNS servers to
pass to DHCP clients instead of the gateway.
Automatically assign Clear this option if you do not want DHCP clients to be assigned the
WINS server same WINS servers as specified by the Internet connection
configuration (in the Internet Setup page).
WINS Server 1, 2 Type the IP addresses of the Primary and Secondary WINS servers to
use instead of the gateway.
Other Services These fields are not available for the OfficeMode network.
Time Server 1, 2 To use Network Time Protocol (NTP) servers to synchronize the time
on the DHCP clients, type the IP address of the Primary and
Secondary NTP servers.
Call Manager 1, 2 To assign Voice over Internet Protocol (VoIP) call managers to the
DHCP clients, type the IP address of the Primary and Secondary VoIP
servers.
TFTP Server Trivial File Transfer Protocol (TFTP) enables booting diskless
computers over the network.
TFTP Boot File Type the boot file to use for booting DHCP clients via TFTP.
Changing IP Addresses
If desired, you can change your VPN-1 Edge appliance’s internal IP address, or the
entire range of IP addresses in your internal network. You may want to perform
these tasks if, for example, you are adding the VPN-1 Edge appliance to a large
existing network and don't want to change that network’s IP address range, or if
you are using a DHCP server other than the VPN-1 Edge appliance, that assigns
addresses within a different range.
To change IP addresses
1. Click Network in the main menu, and click the My Network tab.
The My Network page appears.
2. In the LAN network's row, click Edit.
The Edit Network Settings page appears.
3. To change the VPN-1 Edge appliance’s internal IP address, enter the new IP
address in the IP Address field.
4. To change the internal network range, enter a new value in the Subnet Mask
field.
Note: The internal network range is defined both by the VPN-1 Edge appliance’s
internal IP address and by the subnet mask.
5. Click Apply.
A warning message appears.
6. Click OK.
• The VPN-1 Edge appliance's internal IP address and/or the internal
network range are changed.
• A success message appears.
7. Do one of the following:
• If your computer is configured to obtain its IP address automatically
(using DHCP), and the VPN-1 Edge DHCP server is enabled, restart your
computer.
Your computer obtains an IP address in the new range.
• Otherwise, manually reconfigure your computer to use the new
address range using the TCP/IP settings. For information on configuring
TCP/IP, see TCP/IP Settings on page 26, on page 22.
Hide Network Address Translation (Hide NAT) enables you to share a single
public Internet IP address among several computers, by “hiding” the private IP
addresses of the internal computers behind the VPN-1 Edge appliance’s single
Internet IP address.
Note: If Hide NAT is disabled, you must obtain a range of Internet IP addresses
from your ISP. Hide NAT is enabled by default.
In addition to the LAN network, you can define a second internal network called a
DMZ (demilitarized zone) network.
For information on default security policy rules controlling traffic to and from the
DMZ, see Default Security Policy on page 206.
If you have more than one computer in the DMZ network, connect a hub or
switch to the DMZ port, and connect the DMZ computers to the hub.
2. Click Network in the main menu, and click the Ports tab.
The Ports page appears.
11. In the Subnet Mask text box, type the DMZ’s internal network range.
12. Click Apply.
A warning message appears.
13. Click OK.
A success message appears.
By default, VPN Clients connect to the VPN Server using an Internet IP address
locally assigned by an ISP. This may lead to the following problems:
• VPN Clients on the same network will be unable to communicate with
each other via the VPN-1 Edge Internal VPN Server. This is because their
IP addresses are on the same subnet, and they therefore attempt to
communicate directly over the local network, instead of through the secure
VPN link.
• Some networking protocols or resources may require the client’s IP
address to be an internal one.
OfficeMode solves these problems by enabling the VPN-1 Edge DHCP Server to
automatically assign a unique local IP address to the VPN client, when the client
connects and authenticates. The IP addresses are allocated from a pool called the
OfficeMode network.
When OfficeMode is not supported by the VPN client, traditional mode will be
selected used instead.
5. In the Subnet Mask text box, type the OfficeMode internal network range.
6. If desired, enable or disable Hide NAT.
See Enabling/Disabling Hide NAT on page 108.
7. If desired, configure DHCP options.
See Configuring DHCP Server Options on page 103.
8. Click Apply.
A warning message appears.
9. Click OK.
Configuring VLANs
Your VPN-1 Edge appliance allows you partition your network into several virtual
LAN networks (VLANs). A VLAN is a logical network behind the VPN-1 Edge
appliance. Computers in the same VLAN behave as if they were on the same
physical network: traffic flows freely between them, without passing through a
firewall. In contrast, traffic between a VLAN and other networks passes through
the firewall and is subject to the security policy. By default, traffic from a VLAN to
any other internal network (including other VLANs) is blocked. In this way,
defining VLANs can increase security and reduce network congestion.
For example, you can assign each division within your organization to a different
VLAN, regardless of their physical location. The members of a division will be
able to communicate with each other and share resources, and only members who
need to communicate with other divisions will be allowed to do so. Furthermore,
you can easily transfer a member of one division to another division without
rewiring your network, by simply reassigning them to the desired VLAN.
• Port-based
Port-based VLAN allows assigning the appliance's LAN ports to VLANs,
effectively transforming the appliance's four-port switch into up to four firewall-
isolated security zones. You can assign multiple ports to the same VLAN, or
each port to a separate VLAN.
5. In the IP Address field, type the IP address of the VLAN network's default
gateway.
6. In the Subnet Mask field, type the VLAN's internal network range.
7. If desired, enable or disable Hide NAT.
See Enabling/Disabling Hide NAT on page 108.
8. If desired, configure a DHCP server.
See Configuring a DHCP Server on page 96.
9. Click Apply.
A warning message appears.
10. Click OK.
A success message appears.
11. Click Network in the main menu, and click the Ports tab.
The Ports page appears.
12. In the drop-down list next to the LAN port you want to assign, select the
VLAN network's name.
You can assign more than one port to the VLAN.
13. Click Apply.
7. In the Subnet Mask field, type the VLAN's internal network range.
8. If desired, enable or disable Hide NAT.
See Enabling/Disabling Hide NAT on page 108.
9. If desired, configure a DHCP server.
See Configuring a DHCP Server on page 96.
Deleting VLANs
To delete a VLAN
1. If the VLAN is port-based, do the following:
a. Click Network in the main menu, and click the Ports tab.
The Ports page appears.
b. Remove all port assignments to the VLAN, by selecting other
networks in the drop-down lists.
c. Click Apply.
2. Click Network in the main menu, and click the My Network tab.
The My Network page appears.
You can create a High Availability (HA) cluster consisting of two or more VPN-1
Edge appliances. For example, you can install two VPN-1 Edge appliances on your
network, one acting as the “Master”, the default gateway through which all
network traffic is routed, and one acting as the “Backup”. If the Master fails, the
Backup automatically and transparently takes over all the roles of the Master. This
ensures that your network is consistently protected by a VPN-1 Edge appliance and
connected to the Internet.
The gateways in a HA cluster each have a separate IP address within the local
network. In addition, the gateways share a single virtual IP address, which is the
default gateway address for the local network. Control of the virtual IP address is
passed as follows:
1. Each gateway is assigned a priority, which determines the gateway's role: the
gateway with the highest priority is the Active Gateway and uses the virtual IP
address, and the rest of the gateways are Passive Gateways.
2. The Active Gateway sends periodic signals, or “heartbeats”, to the network via a
synchronization interface.
The synchronization interface can be any internal network existing on both
gateways.
3. If the heartbeat from the Active Gateway stops (indicating that the Active
gateway has failed), the gateway with the highest priority becomes the new
Active Gateway and takes over the virtual IP address.
4. When a gateway that was offline comes back online, or a gateway's priority
changes, the gateway sends a heartbeat notifying the other gateways in the
cluster.
If the gateway's priority is now the highest, it becomes the Active Gateway.
The VPN-1 Edge appliance supports Internet connection tracking, which means
that each appliance tracks its Internet connection's status and reduces its own
Note: You can force a fail-over to a passive VPN-1 Edge appliance. You may want
to do this in order to verify that HA is working properly, or if the active VPN-1 Edge
appliance needs repairs. To force a fail-over, switch off the primary box or
disconnect it from the LAN network.
The VPN-1 Edge appliance supports configuring multiple HA clusters on the same
network segment. To this end, each cluster must be assigned a unique ID number.
When HA is configured, you can specify that only the Active Gateway in the
cluster should connect to the Internet. This is called WAN HA, and it is useful in
the following situations:
• Your Internet subscription cost is based is on connection time, and
therefore having the Passive appliance needlessly connected to the Internet
costs you money.
• You want multiple appliances to share the same static IP address without
creating an IP address conflict.
WAN HA avoids an IP address change, and thereby ensures virtually uninterrupted
access from the Internet to internal servers at your network.
Before configuring HA, the following requirements must be met:
Note: You can enable the DHCP server in all VPN-1 Edge appliances. A Passive
Gateway’s DHCP server will start answering DHCP requests only if the Active
Gateway fails.
4. Next to each network for which you want to enable HA, select the HA check
box.
5. In the Virtual IP field, type the default gateway IP address.
This can be any unused IP address in the network, and must be the same for all
gateways.
6. Click the Synchronization radio button next to the network you want to use as
the synchronization interface.
You can choose any network listed.
Note: The synchronization interface must be the same for all gateways, and must
always be connected and enabled on all gateways. Otherwise, multiple appliances
may become active, causing unpredictable problems.
Priority
Interface Tracking
Internet - Primary Type the amount to reduce the gateway's priority if the primary Internet
connection goes down.
Internet - Secondary Type the amount to reduce the gateway's priority if the secondary
Internet connection goes down.
LAN1/2/3/4 Type the amount to reduce the gateway's priority if the LAN port's
Ethernet link is lost.
DMZ Type the amount to reduce the gateway's priority if the DMZ / WAN2
port's Ethernet link is lost.
Advanced
Group ID If multiple HA clusters exist on the same network segment, type the ID
number of the cluster to which the gateway should belong.
The default value is 55. If only one HA cluster exists, there is no need
to change this value.
The following procedure illustrates how to configure HA for the following two
VPN-1 Edge gateways, Gateway A and Gateway B:
Gateway A Gateway B
The gateways have two internal networks in common, LAN and DMZ. This means
that you can configure HA for the LAN network, the DMZ network, or both. You
can use either of the networks as the synchronization interface.
The procedure below shows how to configure HA for both the LAN and DMZ
networks. The synchronization interface is the DMZ network, the LAN virtual IP
address is 192.168.100.3, and the DMZ virtual IP address is 192.168.101.3.
Gateway A is the Active Gateway.
Gateway A will reduce its priority by 30, if its secondary Internet connection
goes down.
l. Click Apply.
A success message appears.
6. Do the following on Gateway B:
a. Set the gateway's internal IP addresses and network range to the
values specified in the table above.
See Changing IP Addresses on page 107.
b. Click Setup in the main menu, and click the High Availability tab.
The High Availability page appears.
c. Select the Gateway High Availability check box.
The Gateway High Availability area is enabled. The LAN and DMZ networks
are listed.
d. Next to LAN, select the HA check box.
e. In the LAN network's Virtual IP field, type the default gateway IP
address 192.168.100.3.
f. Next to DMZ, select the HA check box.
g. In the DMZ network's Virtual IP field, type the default gateway IP
address 192.168.101.3.
h. Click the Synchronization radio button next to DMZ.
i. In the My Priority field, type "60".
The low priority means that Gateway B will be the Passive Gateway.
j. In the Internet - Primary field, type "20".
Gateway B will reduce its priority by 20, if its Internet connection goes
down.
k. Click Apply.
A success message appears.
Gateway A's priority is 100, and Gateway B's priority is 60. So long as one of
Gateway A's Internet connections is up, Gateway A is the Active Gateway, because
its priority is higher than that of Gateway B.
If both of Gateway A's Internet connections are down, it deducts from its priority
20 (for the primary connection) and 30 (for the secondary connection), reducing its
priority to 50. In this case, Gateway B's priority is the higher priority, and it
becomes the Active Gateway.
You can add individual computers or networks as network objects. This enables
you to configure various settings for the computer or network represented by the
network object.
You can configure the following settings for a network object:
• Static NAT (or One-to-One NAT)
Static NAT allows the mapping of Internet IP addresses or address ranges to
hosts inside the internal network. This is useful if you want a computer in your
private network to have its own Internet IP address. For example, if you have
both a mail server and a Web server in your network, you can map each one to a
separate Internet IP address.
Static NAT rules do not imply any security rules. To allow incoming traffic to a
host for which you defined Static NAT, you must create an Allow rule. When
specifying firewall rules for such hosts, use the host’s internal IP address, and
not the Internet IP address to which the internal IP address is mapped. For
further information, see Using Rules on page 212.
Note: The VPN-1 Edge appliance supports Proxy ARP (Address Resolution
Protocol). When an external source attempts to communicate with such a
computer, the VPN-1 Edge appliance automatically replies to ARP queries with its
own MAC address, thereby enabling communication. As a result, the Static NAT
Internet IP addresses appear to external sources to be real computers connected to
the WAN interface.
The VPN-1 Edge Network Object Wizard opens, with the Step 1: Network Object
Type dialog box displayed.
The Step 2: Computer Details dialog box appears. If you chose Single Computer,
the dialog box includes the Perform Static NAT option.
If you chose Network, the dialog box does not include this option.
If a computer has not yet been added as a network object, the Add button
appears next to it. If a computer has already been added as a network object, the
Edit button appears next to it.
2. Do one of the following:
• To add a network object, click Add next to the desired computer.
• To edit a network object, click Edit next to the desired computer.
The VPN-1 Edge Network Object Wizard opens, with the Step 1: Network Object
Type dialog box displayed.
3. Do one of the following:
• To specify that the network object should represent a single computer or
device, click Single Computer.
IP Address Type the IP address of the local computer, or click This Computer to
specify your computer.
Reserve a fixed IP Select this option to assign the network object's IP address to a MAC
address for this address, and to allow the network object to connect to the WLAN
computer when MAC Filtering is used. For information about MAC Filtering, see
Configuring a Wireless Network on page 163.
MAC Address Type the MAC address you want to assign to the network object's IP
address, or click This Computer to specify your computer's MAC
address.
Perform Static NAT Select this option to map the local computer's IP address to an
(Network Address Internet IP address.
Translation)
You must then fill in the External IP field.
External IP Type the Internet IP address to which you want to map the local
computer's IP address.
Exclude this computer Select this option to exclude the network object from HotSpot
from HotSpot enforcement.
enforcement
Perform Static NAT Select this option to map the network's IP address range to a range of
(Network Address Internet IP addresses of the same size.
Translation)
You must then fill in the External IP Range field.
External IP Range Type the Internet IP address range to which you want to map the
network's IP address range.
Exclude this network Select this option to exclude this network from HotSpot enforcement.
from HotSpot
enforcement
A static route is a setting that explicitly specifies the route for packets originating
in a certain subnet and/or destined for a certain subnet. Packets with a source and
destination that does not match any defined static route will be routed to the default
gateway. To modify the default gateway, see Using a LAN Connection on page
66.
A static route can be based on the packet's destination IP address, or based on the
source IP address, in which case it is a source route.
Source routing can be used, for example, for load balancing between two Internet
connections. For example, if you have an Accounting department and a Marketing
department, and you want each to use a different Internet connection for outgoing
traffic, you can add a static route specifying that traffic originating from the
Accounting department should be sent via WAN1, and another static route
specifying that traffic originating from the Marketing department should be sent via
WAN2.
The Static Routes page lists all existing routes, including the default, and indicates
whether each route is currently "Up" (reachable) or not.
The Static Routes page appears, with a list of existing static routes.
The Static Route Wizard opens displaying the Step 1: Source and Destination
dialog box.
6. In the Next Hop IP field, type the IP address of the gateway (next hop router) to
which to route the packets destined for this network.
7. In the Metric field, type the static route's metric.
The gateway sends a packet to the route that matches the packet's destination
and has the lowest metric.
The default value is 10.
8. Click Next.
Managing Ports
The VPN-1 Edge appliance enables you to quickly and easily assign its ports to
different uses, as shown in the table below. Furthermore, you can restrict each port
to a specific link speed and duplex setting.
VLAN network
VLAN trunk
Serial console
You can view the status of the VPN-1 Edge appliance's ports on the Ports page,
including the each Ethernet connection's duplex state. This is useful if you need to
check whether the appliance's physical connections are working, and you can’t see
the LEDs on front of the appliance.
Note: The LAN ports' statuses are displayed only in the VPN-1
Edge W series.
You can assign ports to different networks or purposes. Since modifying port
assignments often requires additional configurations, use the table below to
determine which procedure you should use:
By default, the VPN-1 Edge automatically detects the link speed and duplex. If
desired, you can manually restrict the VPN-1 Edge appliance's ports to a specific
link speed and duplex.
Note: In the VPN-1 Edge model SBX-166LHG-2, restricting the link speed and
duplex is available for the WAN and DMZ ports, and not for LAN ports 1-4.
You can reset the VPN-1 Edge appliance's ports to their default link configurations
("Automatic Detection") and default assignments (shown in the table below).
1-4 LAN
RS232 Modem
Chapter 6
Overview
Traffic Shaper is a bandwidth management solution that allows you to set
bandwidth policies to control the flow of communication. Traffic Shaper ensures
that important traffic takes precedence over less important traffic, so that your
business can continue to function with minimum disruption, despite network
congestion.
Traffic Shaper uses Stateful Inspection technology to access and analyze data
derived from all communication layers. This data is used to classify traffic in up to
eight user-defined Quality of Service (QoS) classes. Traffic Shaper divides
available bandwidth among the classes according to weight. For example, suppose
Web traffic is deemed three times as important as FTP traffic, and these services
are assigned weights of 30 and 10 respectively. If the lines are congested, Traffic
Shaper will maintain the ratio of bandwidth allocated to Web traffic and FTP traffic
at 3:1.
If a specific class is not using all of its bandwidth, the leftover bandwidth is divided
among the remaining classes, in accordance with their relative weights. In the
example above, if only one Web and one FTP connection are active and they are
competing, the Web connection will receive 75% (30/40) of the leftover
bandwidth, and the FTP connection will receive 25% (10/40) of the leftover
bandwidth. If the Web connection closes, the FTP connection will receive 100% of
the bandwidth.
Traffic Shaper allows you to give a class a bandwidth limit. A class's bandwidth
limit is the maximum amount of bandwidth that connections belonging to that class
may use together. Once a class has reached its bandwidth limit, connections
belonging to that class will not be allocated further bandwidth, even if there is
unused bandwidth available. For example, you can limit all traffic used by Peer-
To-Peer file-sharing applications to a specific rate, such as 512 kilobit per second.
Traffic Shaper also allows you to assign a “Delay Sensitivity” value to a class,
indicating whether connections belonging to the class should be given precedence
over connections belonging to other classes.
Traffic Shaper supports DiffServ (Differentiated Services) Packet Marking.
DiffServ marks packets as belonging to a certain Quality of Service class. These
packets are then granted priority on the public network according to their class.
2. Define QoS classes that reflect your communication needs. Alternatively, use
the four built-in QoS classes.
See Adding and Editing a Class on page 156.
3. Use Allow or Allow and Forward rules to assign different types of connections
to QoS classes.
For example, if Traffic Shaper is enabled for outgoing traffic, and you create an
Allow rule associating all outgoing VPN traffic with the Urgent QoS class, then
Traffic Shaper will handle outgoing VPN traffic as specified in the bandwidth
policy for the Urgent class.
See Adding and Editing Rules on page 216.
Low Priority 5 Low Traffic that is not sensitive to long delays. For
(Bulk Traffic) example, SMTP traffic (outgoing email).
2. Click Add.
The VPN-1 Edge QoS Class Editor wizard opens, with the Step 1 of 3: Quality of
Service Parameters dialog box displayed.
3. Complete the fields using the relevant information in the table below.
4. Click Next.
The Step 2 of 3: Advanced Options dialog box appears.
5. Complete the fields using the relevant information in the table below.
Note: Traffic Shaper may not enforce guaranteed rates and relative weights for
incoming traffic as accurately as for outgoing traffic. This is because Traffic Shaper
cannot control the number or type of packets it receives from the Internet; it can
only affect the rate of incoming traffic by dropping received packets. It is therefore
recommended to enable traffic shaping for incoming traffic only if necessary. For
information on enabling Traffic Shaper for incoming and outgoing traffic, see Using
Internet Setup on page 65.
6. Click Next.
The Step 3 of 3: Save dialog box appears with a summary of the class.
Relative Weight Type a value indicating the class's importance relative to the other
defined classes.
For example, if you assign one class a weight of 100, and you assign
another class a weight of 50, the first class will be allocated twice the
amount of bandwidth as the second when the lines are congested.
Delay Sensitivity Select the degree of precedence to give this class in the transmission
queue:
Traffic Shaper serves delay-sensitive traffic with a lower latency. That is,
Traffic Shaper attempts to send packets with a "High (Interactive Traffic)"
level before packets with a "Medium (Normal Traffic)" or "Low (Bulk
Traffic)" level.
Outgoing Traffic: Select this option to guarantee a minimum bandwidth for outgoing traffic
Guarantee At belonging to this class. Then type the minimum bandwidth (in
Least kilobits/second) in the field provided.
Outgoing Traffic: Select this option to limit the rate of outgoing traffic belonging to this
Limit rate to class. Then type the maximum rate (in kilobits/second) in the field
provided.
Incoming Traffic: Select this option to guarantee a minimum bandwidth for incoming traffic
Guarantee At belonging to this class. Then type the minimum bandwidth (in
Least kilobits/second) in the field provided.
Incoming Traffic: Select this option to limit the rate of incoming traffic belonging to this
Limit rate to class. Then type the maximum rate (in kilobits/second) in the field
provided.
DiffServ Code Select this option to mark packets belonging to this class with a DiffServ
Point Code Point (DSCP), which is an integer between 0 and 63. Then type the
DSCP in the field provided.
The marked packets will be given priority on the public network according
to their DSCP.
To use this option, your ISP or private WAN must support DiffServ. You
can obtain the correct DSCP value from your ISP or private WAN
administrator.
Deleting Classes
You cannot delete a class that is currently used by a rule. You can determine
whether a class is in use or not, by viewing the Rules page.
If desired, you can reset the Traffic Shaper bandwidth policy to use the four
predefined classes, and restore these classes to their default settings. For
information on these classes and their defaults, see Predefined QoS Classes on
page 155.
Note: This will delete any additional classes you defined in Traffic
Shaper and reset all rules to use the Default class.
If one of the additional classes is currently used by a rule, you
cannot reset Traffic Shaper to defaults. You can determine whether
a class is in use or not, by viewing the Rules page.
Chapter 7
Overview
In addition to the LAN and DMZ networks, you can define a wireless internal
network called a WLAN (wireless LAN) network, when using VPN-1 Edge W.
For information on default security policy rules controlling traffic to and from the
WLAN, see Default Security Policy on page 206.
You can configure a WLAN network in either of the following ways:
• Wireless Configuration Wizard. Guides you through the WLAN setup step
by step.
See Using the Wireless Configuration Wizard on page 178.
• Manual configuration. Offers advanced setup options.
See Manually Configuring a WLAN on page 167.
Note: It is recommended to configure the WLAN via Ethernet and not via a wireless
connection, because the wireless connection could be broken after making a
change to the configuration.
Security Description
Protocol
WEP encryption In the WEP (Wired Equivalent Privacy) encryption security method, wireless
stations must use a pre-shared key to connect to your network. This method
is not recommended, due to known security flaws in the WEP protocol. It is
provided for compatibility with existing wireless deployments.
Note: The appliance and the wireless stations must be configured with the
same WEP key.
802.1X: RADIUS In the 802.1x security method, wireless stations (supplicants) attempting to
authentication, no connect to the access point (authenticator) must first be authenticated by a
encryption RADIUS server (authentication server) which supports 802.1x . All messages
are passed in EAP (Extensible Authentication Protocol).
Note: To use this security method, you must first configure a RADIUS server.
See Using RADIUS Authentication. on page 380
Security Description
Protocol
WPA: RADIUS The WPA (Wi-Fi Protected Access) security method uses MIC (message
authentication, integrity check) to ensure the integrity of messages, and TKIP (Temporal Key
encryption Integrity Protocol) to enhance data encryption.
Note: To use this security method, you must first configure a RADIUS server
which supports 802.1x. See Using RADIUS Authentication. on page 380
WPA-PSK: The WPA-PSK security method is a variation of WPA that does not require an
password authentication server. WPA-PSK periodically changes and authenticates
authentication, encryption keys. This is called rekeying.
encryption
This option is recommended for small networks, which want to authenticate
and encrypt wireless data, but do not want to install a RADIUS server.
Note: The appliance and the wireless stations must be configured with the
same passphrase.
WPA2 (802.11i) The WPA2 security method uses the more secure Advanced Encryption
Standard (AES) cipher, instead of the RC4 cipher used by WPA and WEP.
When using WPA or WPA-PSK security methods, the VPN-1 Edge enables
you to restrict access to the WLAN network to wireless stations that support
the WPA2 security method. If this setting is not selected, the VPN-1 Edge
appliance allows clients to connect using both WPA and WPA2.
Note: For increased security, it is recommended to enable the VPN-1 Edge internal
VPN Server for users connecting from your internal networks, and to install
SecuRemote on each computer in the WLAN. This ensures that all connections
from the WLAN to the LAN are encrypted and authenticated. For information, see
Internal VPN Server on page 313 and Setting Up Your VPN-1 Edge Appliance
as a VPN Server on page 314.
8. Complete the fields using the information in Basic WLAN Settings Fields on
page 170.
9. To configure advanced settings, click Show Advanced Settings and complete the
fields using the information in Advanced WLAN Settings Fields on page 174.
New fields appear.
Wireless Settings
Network Name Type the network name (SSID) that identifies your wireless network. This
(SSID) name will be visible to wireless stations passing near your access point,
unless you enable the Hide the Network Name (SSID) option.
You can prevent older wireless stations from slowing down your network, by
choosing an operation mode that restricts access to newer wireless
stations.
Note: The actual data transfer speed is usually significantly lower than the
maximum theoretical bandwidth and degrades with distance.
Important: The station wireless cards must support the selected operation
mode. For a list of cards supporting 802.11g Super, refer to
http://www.super-ag.com.
Channel Select the radio frequency to use for the wireless connection:
Security Select the security protocol to use. For information on the supported
security protocols, see Wireless Security Protocols on page 165.
If you select WPA-PSK, the Passphrase and Require WPA2 (802.11i) fields
appear.
Passphrase Type the passphrase for accessing the network, or click Random to randomly
generate a passphrase.
For the highest security, choose a long passphrase that is hard to guess, or
use the Random button.
Note: The wireless stations must be configured with this passphrase as well.
Require WPA2 Specify whether you want to require wireless stations to connect using
(802.11i) WPA2, by selecting one of the following:
Key 1, 2, 3, 4 radio Click the radio button next to the WEP key that this gateway should use for
button transmission.
The selected key must be entered in the same key slot (1-4) on the station
devices, but the key need not be selected as the transmit key on the
stations.
Key 1, 2, 3, 4 Select the WEP key length from the drop-down list.
length
The possible key lengths are:
Key 1, 2, 3, 4 text Type the WEP key, or click Random to randomly generate a key matching
box the selected length. The key is composed of hexadecimal characters 0-9
and A-F, and is not case-sensitive.
Advanced Security
Hide the Network Specify whether you want to hide your network's SSID, by selecting one of
Name (SSID) the following:
MAC Address Specify whether you want to enable MAC address filtering, by selecting one
Filtering of the following:
Note: MAC address filtering does not provide strong security, since MAC
addresses can be spoofed by a determined attacker. Therefore, it is not
recommended to rely on this setting alone for security.
Wireless Transmitter
The default value is Full. It is not necessary to change this value, unless
there are other access points in the vicinity.
Antenna Selection Multipath distortion is caused by the reflection of Radio Frequency (RF)
signals traveling from the transmitter to the receiver along more than one
path. Signals that were reflected by some surface reach the receiver after
non-reflected signals and distort them.
Use manual diversity control (ANT 1 or ANT 2), if there is only one antenna
connected to the appliance.
Fragmentation Type the smallest IP packet size (in bytes) that requires that the IP packet
Threshold be split into smaller fragments.
RTS Threshold Type the smallest IP packet size for which a station must send an RTS
(Request To Send) before sending the IP packet.
If multiple wireless stations are in range of the access point, but not in range
of each other, they might send data to the access point simultaneously,
thereby causing data collisions and failures. RTS ensures that the channel
is clear before the each packet is sent.
If your network is congested, and the users are distant from one another,
set the RTS threshold to a low value (around 500).
Multimedia QoS Specify whether to use the Wireless Multimedia (WMM) standard to
(WMM) prioritize traffic from WMM-compliant multimedia applications:
The Wireless Configuration Wizard provides a quick and simple way of setting up
your basic WLAN parameters for the first time.
5. Select the Enable wireless networking check box to enable the WLAN.
WPA-PSK
If you chose WPA-PSK, the Wireless Configuration-WPA-PSK dialog box appears.
Do the following:
1. In the text box, type the passphrase for accessing the network, or click Random
to randomly generate a passphrase.
This must be between 8 and 63 characters. It can contain spaces and special
characters, and is case-sensitive.
2. Click Next.
3. Click Next.
4. The Wireless Security Complete dialog box appears.
5. Click Finish.
The wizard closes.
6. Prepare the wireless stations.
See Preparing the Wireless Stations on page 184.
WEP
If you chose WEP, the Wireless Configuration-WEP dialog box appears.
Do the following:
1. Choose a WEP key length.
The possible key lengths are:
• 64 Bits - The key length is 10 hexadecimal characters.
• 128 Bits - The key length is 26 hexadecimal characters.
• 152 Bits - The key length is 32 hexadecimal characters.
Some wireless card vendors call these lengths 40/104/128, respectively.
Note that WEP is generally considered to be insecure, regardless of the selected
key length.
2. In the text box, type the WEP key, or click Random to randomly generate a key
matching the selected length.
The key is composed of characters 0-9 and A-F, and is not case-sensitive. The
wireless stations must be configured with this same key.
3. Click Next.
No Security
The Wireless Security Complete dialog box appears.
• Click Finish.
The wizard closes.
After you have configured a WLAN, the wireless stations must be prepared for
connection to the WLAN.
Note: Some wireless cards have "Infrastructure" and "Ad-hoc" modes. These modes
are also called "Access Point" and "Peer to Peer". Choose the "Infrastructure" or
"Access Point" mode.
You can set the wireless cards to either "Long Preamble" or "Short Preamble".
Note: The wireless cards' region and the VPN-1 Edge appliance's region must both
match the region of the world where you are located. If you purchased your VPN-1
Edge appliance in a different region, contact technical support.
Note: You can observe any changes in the wireless reception in the Active Computers
page. Make sure to refresh the page after making a change.
Note: Professional companies are available for help in setting up reliable wireless
networks, with access to specialized testing equipment and procedures.
There are excessive collisions between wireless stations. What should I do?
If you have many concurrently active wireless stations, there may be collisions
between them. Such collisions may be the result of a "hidden node" problem: not
all of the stations are within range of each other, and therefore are "hidden" from
one another. For example, if station A and station C do not detect each other, but
both stations detect and are detected by station B, then both station A and C may
attempt to send packets to station B simultaneously. In this case, the packets will
collide, and Station B will receive corrupted data.
The solution to this problem lies in the use of the RTS protocol. Before sending a
certain size IP packet, a station sends an RTS (Request To Send) packet. If the
recipient is not currently receiving packets from another source, it sends back a
CTS (Clear To Send) packet, indicating that the station can send the IP packet. Try
setting the RTS Threshold parameter in the WLAN's advanced settings (see
Manually Configuring a WLAN on page 167) to a lower value. This will cause
stations to use RTS for smaller IP packets, thus decreasing the likeliness of
collisions.
Note: Reducing the RTS Threshold and the Fragmentation Threshold too much can
have a negative impact on performance.
Note: Setting an RTS Threshold value equal to the Fragmentation Threshold value
effectively disables RTS.
Chapter 8
Viewing Reports
This chapter describes the VPN-1 Edge Portal reports.
This chapter includes the following topics:
Viewing the Event Log.............................................................................189
Using the Traffic Monitor ........................................................................193
Viewing Computers..................................................................................196
Viewing Connections ...............................................................................199
Viewing Wireless Statistics ......................................................................200
You can track network activity using the Event Log. The Event Log displays the
most recent events and color-codes them.
Blue Changes in your setup that you have made yourself or as a result of
a security update implemented by your Service Center.
You can create firewall rules specifying that certain types of connections should be
logged, whether the connections are incoming or outgoing, blocked or accepted.
For information, see Using Rules on page 212.
The logs detail the date and the time the event occurred, and its type. If the event is
a communication attempt that was rejected by the firewall, the event details include
the source and destination IP address, the destination port, and the protocol used for
the communication attempt (for example, TCP or UDP). If the event is a
connection made or attempted over a VPN tunnel, the event is marked by a lock
icon in the VPN column.
This information is useful for troubleshooting. You can export the logs to an *.xls
(Microsoft Excel) file, and then store it for analysis purposes or send it to technical
support.
Note: You can configure the VPN-1 Edge appliance to send event logs to a Syslog
server. For information, see Configuring Syslog Logging on page 398.
a. Click Save.
A standard File Download dialog box appears.
b. Click Save.
The Save As dialog box appears.
c. Browse to a destination directory of your choice.
d. Type a name for the configuration file and click Save.
The *.xls file is created and saved to the specified directory.
5. To clear all displayed events:
a. Click Clear.
A confirmation message appears.
b. Click OK.
All events are cleared.
You can view incoming and outgoing traffic for selected network interfaces and
QoS classes using the Traffic Monitor. This enables you to identify network traffic
trends and anomalies, and to fine tune Traffic Shaper QoS class assignments.
The Traffic Monitor displays separate bar charts for incoming traffic and outgoing
traffic, and displays traffic rates in kilobits/second. If desired, you can change the
number of seconds represented by the bars in the charts, using the procedure
Configuring Traffic Monitor Settings on page 195.
In network traffic reports, the traffic is color-coded as described in the table below.
In the All QoS Classes report, the traffic is color-coded by QoS class.
You can export a detailed traffic report for all enabled networks and all defined
QoS classes, using the procedure Exporting General Traffic Reports on page 195.
2. In the Traffic Monitor Report drop-down list, select the network interface for
which you want to view a report.
The list includes all currently enabled networks. For example, if the DMZ
network is enabled, it will appear in the list.
If Traffic Shaper is enabled, the list also includes the defined QoS classes.
Choose All QoS Classes to display a report including all QoS classes. For
information on enabling Traffic Shaper see Using Internet Setup on page 65.
The selected report appears in the Traffic Monitor page.
3. To refresh all traffic reports, click Refresh.
4. To clear all traffic reports, click Clear.
Note: The firewall blocks broadcast packets used during the normal operation of
your network. This may lead to a certain amount of traffic of the type "Traffic
blocked by firewall" that appears under normal circumstances and usually does not
indicate an attack.
You can export a general traffic report that includes information for all enabled
networks and all defined QoS classes to a *.csv (Comma Separated Values) file.
You can open and view the file in Microsoft Excel.
You can configure the interval at which the VPN-1 Edge appliance should collect
traffic data for network traffic reports.
3. In the Sample monitoring data every field, type the interval (in seconds) at which
the VPN-1 Edge appliance should collect traffic data.
The default value is one sample every 1800 seconds (30 minutes).
4. Click Apply.
Viewing Computers
This option allows you to view the currently active computers on your network.
The active computers are graphically displayed, each with its name, IP address, and
settings (DHCP, Static, etc.). You can also view node limit information.
If you configured High Availability, both the master and backup appliances are
shown. If you configured OfficeMode, the OfficeMode network is shown.
If you are using VPN-1 Edge W, the wireless stations are shown. For
information on viewing statistics for these computers, see Viewing Wireless
Statistics on page 200. If a wireless station has been blocked from accessing the
Internet through the VPN-1 Edge appliance, the reason why it was blocked is
shown in red.
If you are exceeding the maximum number of computers allowed by your
license, a warning message appears, and the computers over the node limit are
marked in red. These computers are still protected, but they are blocked from
accessing the Internet through the VPN-1 Edge appliance.
If HotSpot mode is enabled for some networks, each computer's HotSpot status
is displayed next to it. The possible statuses include:
Note: To increase the number of computers allowed by your license, you can
upgrade your product. For further information, see Upgrading Your Software
Product on page 393.
Next to each computer, an Add button enables you to add a network object for
the computer, or an Edit button enables you to edit an existing network object
for the computer. For information on adding and editing network objects, see
Adding and Editing Network Objects on page 131.
2. To refresh the display, click Refresh.
3. To view node limit information, do the following:
a. Click Node Limit.
The Node Limit window appears with installed software product and the
number of nodes used.
Viewing Connections
This option allows you to view the currently active connections between your
network and the external world.
If your WLAN is enabled, you can view wireless statistics for the WLAN or for
individual wireless stations.
Wireless The operation mode used by the WLAN, followed by the transmission rate in
Mode Mbps
MAC Address The MAC address of the VPN-1 Edge appliance's WLAN interface
Frames OK The total number of frames that were successfully transmitted and received
Errors The total number of transmitted and received frames for which an error
occurred
Discarded/ The total number of discarded or dropped frames transmitted and received
Dropped
Frames
Frames OK The total number of frames that were successfully transmitted and received
Errors The total number of transmitted and received frames for which an error
occurred
Discarded/ The total number of discarded or dropped frames transmitted and received
Dropped
Frames
WLAN Mode The wireless client's operation mode, indicating the client's maximum speed.
Possible values are B, G, and 108G.
For more information, see Basic WLAN Settings Fields on page 170.
XR Indicates whether the wireless client supports Extended Range (XR) mode.
Possible values are:
Cipher The security protocol used for the connection with the wireless client.
Chapter 9
You can easily override the default security policy, by creating user-defined
firewall rules. For further information, see Using Rules on page 212.
The firewall security level can be controlled using a simple lever available on the
Firewall page. You can set the lever to three states.
Low Enforces basic control on All inbound traffic is blocked to the external VPN-1
incoming connections, Edge appliance IP address, except for ICMP
while permitting all echoes ("pings").
outgoing connections.
All outbound connections are allowed.
Note: If the security policy is remotely managed, this lever might be disabled.
Note: The definitions of firewall security levels provided in this table represent the
VPN-1 Edge appliance’s default security policy. Security updates downloaded from
a Service Center may alter this policy and change these definitions.
Configuring Servers
Note: If you do not intend to host any public Internet servers (Web Server, Mail
Server etc.) in your network, you can skip this section.
Using the VPN-1 Edge Portal, you can selectively allow incoming network
connections into your network. For example, you can set up your own Web server,
Mail server or FTP server.
Note: Configuring servers allows you to create simple Allow and Forward rules for
common services, and it is equivalent to creating Allow and Forward rules in the
Rules page. For information on creating rules, see Using Rules on page 212.
The Servers page appears, displaying a list of services and a host IP address for
each allowed service.
In this Do this…
column…
VPN Only Select this option to allow only connections made through a VPN.
In this Do this…
column…
Host IP Type the IP address of the computer that will run the service (one of your
network computers) or click the corresponding This Computer button to
allow your computer to host the service.
Using Rules
The VPN-1 Edge appliance checks the protocol used, the ports range, and the
destination IP address, when deciding whether to allow or block traffic.
User-defined rules have priority over the default security policy rules and provide
you with greater flexibility in defining and customizing your security policy.
For example, if you assign your company’s accounting department to the LAN
network and the rest of the company to the DMZ network, then as a result of the
default security policy rules, the accounting department will be able to connect to
all company computers, while the rest of the employees will not be able to access
any sensitive information on the accounting department computers. You can
override the default security policy rules, by creating firewall rules that allow
The VPN-1 Edge appliance will process rule 1 first, allowing outgoing FTP traffic
from the specified IP address, and only then it will process rule 2, blocking all
outgoing FTP traffic.
The following rule types exist:
Rule Description
Note: You must use this type of rule to allow incoming connections if your
network uses Hide NAT.
Note: You cannot specify two Allow and Forward rules that forward the same
service to two different destinations.
Rule Description
Note: You cannot use an Allow rule to permit incoming traffic, if the network or
VPN uses Hide NAT. However, you can use Allow rules for static NAT IP
addresses.
The VPN-1 Edge Firewall Rule wizard opens, with the Step 1: Rule Type dialog
box displayed.
5. Complete the fields using the relevant information in the table below.
6. Click Next.
The Step 3: Destination & Source dialog box appears.
7. Complete the fields using the relevant information in the table below.
The Step 4: Done dialog box appears.
8. Click Finish.
The new rule appears in the Firewall Rules page.
Any Service Click this option to specify that the rule should apply to any service.
Standard Click this option to specify that the rule should apply to a specific standard
Service service.
You must then select the desired service from the drop-down list.
Custom Service Click this option to specify that the rule should apply to a specific non-
standard service.
The Protocol and Port Range fields are enabled. You must fill them in.
Protocol Select the protocol (ESP, GRE, TCP, UDP or ANY) for which the rule
should apply.
Ports To specify the port range to which the rule applies, type the start port
number in the left text box, and the end port number in the right text box.
Note: If you do not enter a port range, the rule will apply to all ports. If you
enter only one port number, the range will include only that port.
To specify an IP address range, select Specified Range and type the desired
IP address range in the fields provided.
Destination Select the destination of the connections you want to allow or block.
To specify an IP address range, select Specified Range and type the desired
IP address range in the fields provided. This option is not available in Allow
and Forward rules.
To specify the VPN-1 Edge IP address, select This Gateway. This option is
not available in Allow and Forward rules.
To specify any destination except the VPN-1 Edge Portal and network
printers, select ANY.
Quality of Select the QoS class to which you want to assign the specified connections.
Service class
If Traffic Shaper is enabled, Traffic Shaper will handle these connections as
specified in the bandwidth policy for the selected QoS class. If Traffic Shaper
is not enabled, this setting is ignored. For information on Traffic Shaper and
QoS classes, see Using Traffic Shaper.
This drop-down list only appears when defining an Allow rule or an Allow and
Forward rule.
Log accepted Select this option to log the specified blocked or allowed connections.
connections /
By default, accepted connections are not logged, and blocked connections
Log blocked
are logged. You can modify this behavior by changing the check box's state.
connections
Redirect to port Select this option to redirect the connections to a specific port.
You must then type the desired port in the field provided.
This option is called Port Address Translation (PAT), and is only available
when defining an Allow and Forward rule.
Enabling/Disabling Rules
To enable/disable a rule
1. Click Security in the main menu, and click the Rules tab.
The Rules page appears.
2. Next to the desired rule, do one of the following:
• To enable the rule, click .
The button changes to and the rule is enabled.
• To disable the rule, click .
The button changes to and the rule is disabled.
Deleting Rules
Using SmartDefense
The VPN-1 Edge appliance includes Check Point SmartDefense Services, based on
Check Point Application Intelligence. SmartDefense provides a combination of
attack safeguards and attack-blocking tools that protect your network in the
following ways:
• Validating compliance to standards
• Validating expected usage of protocols (Protocol Anomaly Detection)
• Limiting application ability to carry malicious data
• Controlling application-layer operations
In addition, SmartDefense aids proper usage of Internet resources, such as FTP,
instant messaging, Peer-to-Peer (P2P) file sharing, file-sharing operations, and File
Transfer Protocol (FTP) uploading, among others.
Configuring SmartDefense
Each node represents an attack type, a sanity check, or a protocol or service that is
vulnerable to attacks. To control how SmartDefense handles an attack, you must
configure the relevant node's settings.
SmartDefense Categories
SmartDefense includes the following categories:
Denial of Service
Denial of Service (DoS) attacks are aimed at overwhelming the target with
spurious data, to the point where it is no longer able to respond to legitimate
service requests.
This category includes the following attacks:
• Teardrop on page 227
• Ping of Death on page 228
• LAND on page 229
• Non-TCP Flooding on page 230
Teardrop
In a Teardrop attack, the attacker sends two IP fragments, the latter entirely
contained within the former. This causes some computers to allocate too much
memory and crash.
Action Specify what action to take when a Teardrop attack occurs, by selecting one
of the following:
Track Specify whether to log Teardrop attacks, by selecting one of the following:
Ping of Death
In a Ping of Death attack, the attacker sends a fragmented PING request that
exceeds the maximum IP packet size (64KB). Some operating systems are unable
to handle such requests and crash.
Action Specify what action to take when a Ping of Death attack occurs, by selecting
one of the following:
Track Specify whether to log Ping of Death attacks, by selecting one of the
following:
LAND
In a LAND attack, the attacker sends a SYN packet, in which the source address
and port are the same as the destination (the victim computer). The victim
computer then tries to reply to itself and either reboots or crashes.
Action Specify what action to take when a LAND attack occurs, by selecting one of
the following:
Track Specify whether to log LAND attacks, by selecting one of the following:
Non-TCP Flooding
Advanced firewalls maintain state information about connections in a State table.
In non-TCP Flooding attacks, the attacker sends high volumes of non-TCP traffic.
Since such traffic is connectionless, the related state information cannot be cleared
or reset, and the firewall State table is quickly filled up. This prevents the firewall
from accepting new connections and results in a Denial of Service (DoS).
You can protect against Non-TCP Flooding attacks by limiting the percentage of
state table capacity used for non-TCP connections.
Action Specify what action to take when the percentage of state table capacity used
for non-TCP connections reaches the Max. percent non TCP traffic threshold.
Select one of the following:
Track Specify whether to log non-TCP connections that exceed the Max. Percent
Non-TCP Traffic threshold, by selecting one of the following:
Max. Percent Type the maximum percentage of state table capacity allowed for non-TCP
Non-TCP Traffic connections.
IP and ICMP
This category allows you to enable various IP and ICMP protocol tests, and to
configure various protections against IP and ICMP-related attacks. It includes the
following:
• Packet Sanity on page 232
• Max Ping Size on page 234
• IP Fragments on page 235
• Network Quota on page 237
• Welchia on page 239
• Cisco IOS DOS on page 240
• Null Payload on page 242
Packet Sanity
Packet Sanity performs several Layer 3 and Layer 4 sanity checks. These include
verifying packet size, UDP and TCP header lengths, dropping IP options, and
verifying the TCP flags.
You can configure whether logs should be issued for offending packets.
Action Specify what action to take when a packet fails a sanity test, by selecting
one of the following:
Track Specify whether to issue logs for packets that fail the packet sanity tests, by
selecting one of the following:
Disable relaxed The UDP length verification sanity check measures the UDP header length
UDP length and compares it to the UDP header length specified in the UDP header. If
verification the two values differ, the packet may be corrupted.
Specify whether the VPN-1 Edge appliance should relax the UDP length
verification sanity check or not, by selecting one of the following:
An attacker can echo the client with a large amount of data, causing a buffer
overflow. You can protect against such attacks by limiting the allowed size for
ICMP echo requests.
Action Specify what action to take when an ICMP echo response exceeds the Max
Ping Size threshold, by selecting one of the following:
Track Specify whether to log ICMP echo responses that exceed the Max Ping Size
threshold, by selecting one of the following:
Max Ping Size Specify the maximum data size for ICMP echo response.
IP Fragments
When an IP packet is too big to be transported by a network link, it is split into
several smaller IP packets and transmitted in fragments. To conceal a known attack
or exploit, an attacker might imitate this common behavior and break the data
section of a single packet into several fragmented packets. Without reassembling
the fragments, it is not always possible to detect such an attack. Therefore, the
VPN-1 Edge appliance always reassembles all the fragments of a given IP packet,
before inspecting it to make sure there are no attacks or exploits in the packet.
You can configure how fragmented packets should be handled.
Forbid IP Fragments Specify whether all fragmented packets should be dropped, by selecting
one of the following:
Max Number of Type the maximum number of fragmented packets allowed. Packets
Incomplete Packets exceeding this threshold will be dropped.
Timeout for When the VPN-1 Edge appliance receives packet fragments, it waits for
Discarding additional fragments to arrive, so that it can reassemble the packet.
Incomplete Packets Type the number of seconds to wait before discarding incomplete
packets.
Network Quota
An attacker may try to overload a server in your network by establishing a very
large number of connections per second. To protect against Denial Of Service
(DoS) attacks, Network Quota enforces a limit upon the number of connections per
second that are allowed from the same source IP address.
You can configure how connection that exceed that limit should be handled.
Action Specify what action to take when the number of network connections
from the same source reaches the Max. Connections/Second per Source IP
threshold. Select one of the following:
Track Specify whether to log connections from a specific source that exceed
the Max. Connections/Second per Source IP threshold, by selecting one of
the following:
Max. Type the maximum number of network connections allowed per second
Connections/Second from the same source IP address.
from Same Source IP
The default value is 100.
Note: Setting this value too low can lead to false alarms.
Welchia
The Welchia worm uses the MS DCOM vulnerability or a WebDAV vulnerability.
After infecting a computer, the worm begins searching for other live computers to
infect. It does so by sending a specific ping packet to a target and waiting for the
reply that signals that the target is alive. This flood of pings may disrupt network
connectivity.
Action Specify what action to take when the Welchia worm is detected, by selecting
one of the following:
Track Specify whether to log Welchia worm attacks, by selecting one of the
following:
You can configure how Cisco IOS DOS attacks should be handled.
Action Specify what action to take when a Cisco IOS DOS attack occurs,
by selecting one of the following:
Track Specify whether to log Cisco IOS DOS attacks, by selecting one of
the following:
Number of Hops to Protect Type the number of hops from the enforcement module that Cisco
routers should be protected.
Action Protection for Specify what action to take when an IPv4 packet of the specific
SWIPE - Protocol 53 / protocol type is received, by selecting one of the following:
IP Mobility - Protocol 55 /
• Block. Drop the packet. This is the default.
SUN-ND - Protocol 77 / • None. No action.
PIM - Protocol 103
Null Payload
Some worms, such as Sasser, use ICMP echo request packets with null payload to
detect potentially vulnerable hosts.
You can configure how null payload ping packets should be handled.
Action Specify what action to take when null payload ping packets are detected, by
selecting one of the following:
Track Specify whether to log null payload ping packets, by selecting one of the
following:
TCP
This category allows you to configure various protections related to the TCP
protocol. It includes the following:
• Strict TCP on page 243
• Small PMTU on page 244
Strict TCP
Out-of-state TCP packets are SYN-ACK or data packets that arrive out of order,
before the TCP SYN packet.
Note: In normal conditions, out-of-state TCP packets can occur after the VPN-1
Edge restarts, since connections which were established prior to the reboot are
unknown. This is normal and does not indicate an attack.
Action Specify what action to take when an out-of-state TCP packet arrives, by
selecting one of the following:
Track Specify whether to log null payload ping packets, by selecting one of the
following:
Small PMTU
Small PMTU (Packet MTU) is a bandwidth attack in which the client fools the
server into sending large amounts of data using small packets. Each packet has a
large overhead that creates a "bottleneck" on the server.
You can protect against this attack by specifying a minimum packet size for data
sent over the Internet.
Action Specify what action to take when a packet is smaller than the Minimal MTU
Size threshold, by selecting one of the following:
Track Specify whether to issue logs for packets are smaller than the Minimal MTU
Size threshold, by selecting one of the following:
Minimal MTU Type the minimum value allowed for the MTU field in IP packets sent by a
Size client.
An overly small value will not prevent an attack, while an overly large value
might degrade performance and cause legitimate requests to be dropped.
Port Scan
An attacker can perform a port scan to determine whether ports are open and
vulnerable to an attack. This is most commonly done by attempting to access a port
and waiting for a response. The response indicates whether or not the port is open.
This category includes the following types of port scans:
• Host Port Scan. The attacker scans a specific host's ports to determine
which of the ports are open.
• Sweep Scan. The attacker scans various hosts to determine where a specific
port is open.
You can configure how the VPN-1 Edge appliance should react when a port scan is
detected.
Number of ports SmartDefense detects ports scans by measuring the number of ports
accessed accessed over a period of time. The number of ports accessed must exceed
the Number of ports accessed value, within the number of seconds specified by
the In a period of [seconds] value, in order for SmartDefense to consider the
activity a scan.
Type the minimum number of ports that must be accessed within the In a
period of [seconds] period, in order for SmartDefense to detect the activity as
a port scan.
For example, if this value is 30, and 40 ports are accessed within a specified
period of time, SmartDefense will detect the activity as a port scan.
For Host Port Scan, the default value is 30. For Sweep Scan, the default
value is 50.
Type the maximum number of seconds that can elapse, during which the
Number of ports accessed threshold is exceeded, in order for SmartDefense to
detect the activity as a port scan.
For example, if this value is 20, and the Number of ports accessed threshold is
exceeded for 15 seconds, SmartDefense will detect the activity as a port
scan. If the threshold is exceeded for 30 seconds, SmartDefense will not
detect the activity as a port scan.
Track Specify whether to issue logs for scans, by selecting one of the following:
Detect scans Specify whether to detect only scans originating from the Internet, by
from Internet only selecting one of the following:
• False. Do not detect only scans from the Internet. This is the
default.
• True. Detect only scans from the Internet.
FTP
This category allows you to configure various protections related to the FTP
protocol. It includes the following:
• FTP Bounce on page 249
• Block Known Ports on page 250
• Block Port Overflow on page 251
• Blocked FTP Commands on page 253
FTP Bounce
When connecting to an FTP server, the client sends a PORT command specifying
the IP address and port to which the FTP server should connect and send data. An
FTP Bounce attack is when an attacker sends a PORT command specifying the IP
address of a third party instead of the attacker's own IP address. The FTP server
then sends data to the victim machine.
You can configure how FTP bounce attacks should be handled.
Action Specify what action to take when an FTP Bounce attack occurs, by selecting
one of the following:
Track Specify whether to log FTP Bounce attacks, by selecting one of the
following:
Note: Known ports are published ports associated with services (for example, SMTP
is port 25).
Action Specify what action to take when the FTP server attempts to connect to a
well-known port, by selecting one of the following:
To enforce compliance to the FTP standard and prevent potential attacks against
the FTP server, you can block PORT commands that contain a number greater than
255.
Action Specify what action to take for PORT commands containing a number
greater than 255, by selecting one of the following:
When FTP command blocking is enabled, the FTP command will be blocked.
Microsoft Networks
This category includes File and Print Sharing.
Microsoft operating systems and Samba clients rely on Common Internet File
System (CIFS), a protocol for sharing files and printers. However, this protocol is
also widely used by worms as a means of propagation.
You can configure how CIFS worms should be handled.
Action Specify what action to take when a CIFS worm attack is detected, by
selecting one of the following:
Track Specify whether to log CIFS worm attacks, by selecting one of the
following:
IGMP
This category includes the IGMP protocol.
IGMP is used by hosts and routers to dynamically register and discover multicast
group membership. Attacks on the IGMP protocol usually target a vulnerability in
the multicast routing software/hardware used, by sending specially crafted IGMP
packets.
Action Specify what action to take when an IGMP attack occurs, by selecting
one of the following:
Track Specify whether to log IGMP attacks, by selecting one of the following:
Enforce IGMP to According to the IGMP specification, IGMP packets must be sent to
multicast addresses multicast addresses. Sending IGMP packets to a unicast or broadcast
address might constitute and attack; therefore the VPN-1 Edge appliance
blocks such packets.
Specify whether to allow or block IGMP packets that are sent to non-
multicast addresses, by selecting one of the following:
Peer to Peer
SmartDefense can block peer-to-peer traffic, by identifying the proprietary
protocols and preventing the initial connection to the peer-to-peer networks. This
prevents not only downloads, but also search operations.
This category includes the following nodes:
• KaZaA
• Gnutella
• eMule
• BitTorrent
Note: SmartDefense can detect peer-to-peer traffic regardless of the TCP port being
used to initiate the session.
In each node, you can configure how peer-to-peer connections of the selected type
should be handled, using the table below.
Block proprietary Specify whether proprietary protocols should be blocked on all ports, by
protocols on all ports selecting one of the following:
Instant Messengers
SmartDefense can block instant messaging applications that use VoIP protocols, by
identifying the messaging application's fingerprints and HTTP headers.
This category includes the following nodes:
• Skype
• Yahoo
• ICQ
Note: SmartDefense can detect instant messaging traffic regardless of the TCP port
being used to initiate the session.
In each node, you can configure how instant messaging connections of the selected
type should be handled, using the table below.
Block proprietary Specify whether proprietary protocols should be blocked on all ports, by
protocols on all ports selecting one of the following:
You can enable your VPN-1 Edge appliance as a public Internet access hotspot for
specific networks. When users on those networks attempt to access the Internet,
they are automatically re-directed to the My HotSpot page http://my.hotspot. On
this page, they must read and accept the My HotSpot terms of use, and if My
HotSpot is configured to be password-protected, they must log on using their VPN-
1 Edge username and password. The users may then access the Internet.
Note: HotSpot users are automatically logged out after one hour of inactivity.
VPN-1 Edge Secure HotSpot is useful in any wired or wireless environment where
Web-based user authentication or terms-of-use approval is required prior to gaining
access to the network. For example, Secure HotSpot can be used in public
computer labs, educational institutions, libraries, Internet cafés, and so on.
The VPN-1 Edge appliance allows you to add guest users quickly and easily. By
default, guest users are given a username and password that expire in 24 hours and
granted HotSpot Access permissions only. For information on adding quick guest
users, see Adding Quick Guest Users on page 377.
You can choose to exclude specific network objects from HotSpot enforcement.
For information, see Using Network Objects on page 130.
Important: SecuRemote VPN software users who are authenticated by the Internal
VPN Server are automatically exempt from HotSpot enforcement. This allows, for
example, authenticated employees to gain full access to the corporate LAN, while
guest users are permitted to access the Internet only.
Note: HotSpot enforcement can block traffic passing through the firewall; however, it
does not block local traffic on the same network segment (traffic that does not pass
through the firewall).
My HotSpot Type the title that should appear on the My HotSpot page.
Title
The default title is "Welcome to My HotSpot".
My HotSpot Type the terms to which the user must agree before accessing the Internet.
Terms
You can use HTML tags as needed.
My HotSpot is Select this option to require users to enter their username and password
password before accessing the Internet.
protected
If this option is not selected, users will be required only to accept the terms of
use before accessing the network.
The Allow a user to login from more than one computer at the same time check box
appears.
Allow a user to Select this option to allow a single user to log on to My HotSpot from multiple
login from more computers at the same time.
than one
computer at the
same time
The VPN-1 Edge appliance allows you to define an exposed host, which is a
computer that is not protected by the firewall. This is useful for setting up a public
server. It allows unlimited incoming and outgoing connections between the Internet
and the exposed host computer.
The exposed host receives all traffic that was not forwarded to another computer by
use of Allow and Forward rules.
2. In the Exposed Host field, type the IP address of the computer you wish to
define as an exposed host.
Alternatively, you can click This Computer to define your computer as the
exposed host.
3. Click Apply.
The selected computer is now defined as an exposed host.
Chapter 10
Overview
The VPN-1 Edge appliance includes VStream Antivirus, an embedded stream-
based antivirus engine based on Check Point Stateful Inspection and Application
Intelligence technologies, that performs virus scanning at the kernel level.
VStream Antivirus scans files for malicious content on the fly, without
downloading the files into intermediate storage. This means minimal added latency
and support for unlimited file sizes; and since VStream Antivirus stores only
minimal state information per connection, it can scan thousands of connections
concurrently. In order to scan archive files on the fly, VStream Antivirus performs
real-time decompression and scanning of ZIP, TAR, and GZ archive files, with
support for nested archive files.
When VStream Antivirus detects malicious content, the action it takes depends on
the protocol in which the virus was found. See the table below. In each case,
VStream Antivirus blocks the file and writes a log to the Event Log.
TCP and UDP • Terminates the Generic TCP and UDP ports,
connection
other than those listed above
Note: In protocols that are not listed in this table, VStream Antivirus uses a "best
effort" approach to detect viruses. In such cases, detection of viruses is not
guaranteed and depends on the specific encoding used by the protocol.
Note: VStream Antivirus differs from the Email Antivirus subscription service (part of
the Email Filtering service) in the following ways:
You can use either antivirus solution or both in conjunction. For information on
Email Antivirus, see Email Filtering on page 300.
VStream Antivirus maintains two databases: a daily database and a main database.
The daily database is updated frequently with the newest virus signatures.
Periodically, the contents of the daily database are moved to the main database,
leaving the daily database empty. This system of incremental updates to the main
database allows for quicker updates and saves on network bandwidth.
You can view information about the VStream signature databases currently in use,
in the VStream Antivirus page.
Main database The date and time at which the main database was last updated,
followed by the version number.
Daily database The date and time at which the daily database was last updated, followed
by the version number.
Next update The next date and time at which the VPN-1 Edge appliance will check for
updates.
Status The current status of the database. This includes the following statuses:
VStream Antivirus includes a flexible mechanism that allows the user to define
exactly which traffic should be scanned, by specifying the protocol, ports, and
source and destination IP addresses.
VStream Antivirus processes policy rules in the order they appear in the Antivirus
Policy table, so that rule 1 is applied before rule 2, and so on. This enables you to
define exceptions to rules, by placing the exceptions higher up in the Rules table.
For example, if you want to scan all outgoing SMTP traffic, except traffic from a
specific IP address, you can create a rule scanning all outgoing SMTP traffic and
move the rule down in the Antivirus Policy table. Then create a rule passing SMTP
traffic from the desired IP address and move this rule to a higher location in the
Antivirus Policy table than the first rule. In the figure below, the general rule is rule
number 2, and the exception is rule number 1.
The VPN-1 Edge appliance will process rule 1 first, passing outgoing SMTP traffic
from the specified IP address, and only then it will process rule 2, scanning all
outgoing SMTP traffic.
The following rule types exist:
Rule Description
Pass This rule type enables you to specify that VStream Antivirus should not scan
traffic matching the rule.
Rule Description
Scan This rule type enables you to specify that VStream Antivirus should scan traffic
matching the rule.
The VStream Policy Rule Wizard opens, with the Step 1: Rule Type dialog box
displayed.
5. Complete the fields using the relevant information in the table below.
6. Click Next.
The Step 3: Destination & Source dialog box appears.
7. Complete the fields using the relevant information in the table below.
The Step 4: Done dialog box appears.
8. Click Finish.
The new rule appears in the Firewall Rules page.
Any Service Click this option to specify that the rule should apply to any service.
Standard Click this option to specify that the rule should apply to a specific standard
Service service.
You must then select the desired service from the drop-down list.
Custom Service Click this option to specify that the rule should apply to a specific non-
standard service.
The Protocol and Port Range fields are enabled. You must fill them in.
Protocol Select the protocol (TCP, UDP, or ANY) for which the rule should apply.
Ports To specify the port range to which the rule applies, type the start port
number in the left text box, and the end port number in the right text box.
Note: If you do not enter a port range, the rule will apply to all ports. If you
enter only one port number, the range will include only that port.
To specify an IP address range, select Specified Range and type the desired
IP address range in the fields provided.
And the Select the destination of the connections you want to allow or block.
destination is
To specify an IP address, select Specified IP and type the desired IP address
in the text box.
To specify an IP address range, select Specified Range and type the desired
IP address range in the fields provided. This option is not available in Allow
and Forward rules.
To specify the VPN-1 Edge Portal and network printers, select This Gateway.
This option is not available in Allow and Forward rules.
To specify any destination except the VPN-1 Edge Portal and network
printers, select ANY.
Data Direction Select the direction of connections to which the rule should apply:
Enabling/Disabling Rules
To enable/disable a rule
1. Click Antivirus in the main menu, and click the Policy tab.
The Antivirus Policy page appears.
Deleting Rules
3. Click OK.
The rule is deleted.
The VStream Antivirus settings are reset to their defaults. For information on
the default values, refer to the table below.
File Types
Block potentially unsafe Select this option to block all emails containing potentially unsafe
file types in email attachments.
messages
Unsafe file types are:
Pass safe file types Select this option to accept common file types that are known to
without scanning be safe, without scanning them.
• MPEG streams
• RIFF Ogg Stream
• MP3
• PDF
• PostScript
• WMA/WMV/ASF
• RealMedia
• JPEG - only the header is scanned, and the rest of
the file is skipped
Status
Maximum nesting level Type the maximum number of nested content levels that
VStream Antivirus should scan.
Maximum compression Fill in the field to complete the maximum compression ratio of
ratio 1:x files that VStream Antivirus should scan.
When archived file Specify how VStream Antivirus should handle files that exceed
exceeds limit or extraction the Maximum nesting level or the Maximum compression ratio, and
fails files for which scanning fails. Select one of the following:
When you are subscribed to the VStream Antivirus updates service, VStream
Antivirus virus signatures are automatically updated, keeping security up-to-date
with no need for user intervention. However, you can still check for updates
manually, if needed.
Chapter 11
The VPN-1 Edge Services Wizard opens, with the Service Center dialog box
displayed.
3. Make sure the Connect to a different Service Center check box is selected.
4. Do one of the following:
• To connect to the SofaWare Service Center, choose
usercenter.sofaware.com.
• To specify a Service Center, choose Specified IP and then in the Specified
IP field, enter the desired Service Center’s IP address, as given to you by
your system administrator.
5. Click Next.
• The Connecting… screen appears.
Enter your gateway ID and registration key in the appropriate fields, as given
to you by your service provider, then click Next.
• The Connecting… screen appears.
• The Confirmation dialog box appears with a list of services to which you
are subscribed.
6. Click Next.
7. Click Finish.
The following things happen:
• If a new firmware is available, the VPN-1 Edge appliance may start
downloading it. This may take several minutes. Once the download is
complete, the VPN-1 Edge appliance restarts using the new firmware.
• The Welcome page appears.
• The services to which you are subscribed are now available on your VPN-
1 Edge appliance and listed as such on the Account page. See Viewing
Services Information on page 293 for further information.
• The Services submenu includes the services to which you are subscribed.
The Account page displays the following information about your subscription.
Service Center The name of the Service Center to which you are connected (if known).
Name
Subscription will The date on which your subscription to services will end.
end on
• Subscribed
• Not Subscribed
If you are subscribed to Dynamic DNS, this field displays your gateway's
domain name.
For further information, see Web Filtering on page 296, Virus Scanning
on page 300, and Automatic and Manual Updates on page 304.
This option restarts your VPN-1 Edge appliance’s connection to the Service Center
and refreshes your VPN-1 Edge appliance’s service settings.
This option allows you to access your Service Center's Web site, which may offer
additional configuration options for your account. Contact your Service Center for
a user ID and password.
Note: If no additional settings are available from your Service Center, this button will
not appear.
Web Filtering
When the Web Filtering service is enabled, access to Web content is restricted
according to the categories specified under Allow Categories. Authorized users will
be able to view Web pages with no restrictions, only after they have provided the
administrator password via the Web Filtering pop-up window.
Note: Web Filtering is only available if you are connected to a Service Center and
subscribed to this service.
Note: If you are remotely managed, contact your Service Center to change these
settings.
You can define which types of Web sites should be considered appropriate for your
family or office members, by selecting the categories. Categories marked with
will remain visible, while categories marked with will be blocked and will
require the administrator password for viewing.
Note: If you are remotely managed, contact your Service Center to change these
settings.
To allow/block a category
3. To re-enable the service, click Resume, either in the popup window, or on the
Web Filtering page.
• The service is re-enabled for all internal network computers.
• If you clicked Resume in the Web Filtering page, the button changes to
Snooze.
• If you clicked Resume in the Web Filtering Off popup window, the popup
window closes.
Email Filtering
There are two Email Filtering services:
• Email Antivirus
When the Email Antivirus service is enabled, your email is automatically
scanned for the detection and elimination of all known viruses and vandals. If a
virus is detected, it is removed and replaced with a warning message.
Note: The Email Antivirus subscription service differs from VStream Antivirus in the
following ways:
You can use either antivirus solution or both in conjunction. For information on
VStream Antivirus, see Using VStream Antivirus on page 269.
• Email Antispam
When the Email Antispam service is enabled, your email is automatically
scanned for the detection of spam. If spam is detected, the email’s Subject line is
modified to indicate that it is suspected spam. You can create rules to divert
such messages to a special folder.
Note: Email Filtering services are only available if you are connected to a Service
Center and subscribed to the services.
Note: If you are remotely managed, contact your Service Center to change these
settings.
If you are locally managed, you can define which protocols should be scanned for
viruses and spam:
• Email retrieving (POP3). If enabled, all incoming email in the POP3
protocol will be scanned.
• Email sending (SMTP). If enabled, all outgoing email will be scanned.
Protocols marked with will be scanned, while those marked with will not.
Note: If you are remotely managed, contact your Service Center to change these
settings.
If you are having problems sending or receiving email you can temporarily disable
the Email Filtering services.
3. To re-enable Email Antivirus and Email Antispam, click Resume, either in the
popup window, or on the Email Filtering page.
• The services are re-enabled for all internal network computers.
• If you clicked Resume in the Email Filtering page, the button changes to
Snooze.
• If you clicked Resume in the Email Filtering Off popup window, the popup
window closes.
Note: Software Updates are only available if you are connected to a Service Center
and subscribed to this service.
If your VPN-1 Edge appliance is locally managed, you can set it to automatically
check for software updates, or you can set it so that software updates must be
checked for manually.
2. To set the VPN-1 Edge appliance to automatically check for and install new
software updates, drag the Automatic/Manual lever upwards.
The VPN-1 Edge appliance checks for new updates and installs them according
to its schedule.
Note: When the Software Updates service is set to Automatic, you can still manually
check for updates.
3. To set the VPN-1 Edge appliance so that software updates must be checked for
manually, drag the Automatic/Manual lever downwards.
The VPN-1 Edge appliance does not check for software updates automatically.
4. To manually check for software updates, click Update Now.
The system checks for new updates and installs them.
Chapter 12
Overview
You can configure your VPN-1 Edge appliance as part of a virtual private network
(VPN). A VPN is a private data network consisting of a group of gateways that can
securely connect to each other. Each member of the VPN is called a VPN site, and
a connection between two VPN sites is called a VPN tunnel. VPN tunnels encrypt
and authenticate all traffic passing through them. Through these tunnels, employees
can safely use their company’s network resources when working at home. For
example, they can securely read email, use the company’s intranet, or access the
company’s database from home.
The are four types of VPN sites:
Site-to-Site VPNs
A Site-to-Site VPN consists of two or more Site-to-Site VPN Gateways that can
communicate with each other in a bi-directional relationship. The connected
networks function as a single network. You can use this type of VPN to mesh
office branches into one corporate network.
Using the internal VPN Server, along with a strict security policy for non-VPN
users, can enhance security both for wired networks and for wireless networks,
which are particularly vulnerable to security breaches.
The internal VPN Server can be used in the VPN-1 Edge W wireless appliance,
regardless of the wireless security settings. It also can be used in wired appliances,
both for wired stations and for wireless stations.
Note: You can enable wireless connections to a wired VPN-1 Edge appliance, by
connecting a wireless access point in bridge mode to one of the appliance's internal
interfaces. Do not connect computers to the same interface as a wireless access
point, since allowing direct access from the wireless network may pose a significant
security risk.
You can make your network available to authorized users connecting from the
Internet or from your internal networks, by setting up your VPN-1 Edge appliance
as a VPN Server. Users can connect to the VPN Server via Check Point
SecuRemote or via a VPN-1 Edge appliance in Remote Access VPN mode.
Enabling the VPN Server for users connecting from your internal networks adds a
layer of security to such connections. For example, while you could create a
firewall rule allowing a specific user on the DMZ to access the LAN, enabling
VPN access for the user means that such connections can be encrypted and
authenticated. For more information, see Internal VPN Server on page 313.
Note: Disabling the VPN Server for a specific type of connection (from the Internet or
from internal networks) will cause all existing VPN tunnels of that type to
disconnect.
2. Select the Allow SecuRemote users to connect from the Internet check box.
3. To allow authenticated users connecting from the Internet to bypass NAT when
connecting to your internal network, select the Bypass NAT check box.
4. To allow authenticated users connecting from the Internet to bypass the firewall
and access your internal network without restriction, select the Bypass the
firewall check box.
5. Click Apply.
The Remote Access VPN Server is enabled for the specified connection types.
2. Select the Allow SecuRemote users to connect from my internal networks check
box.
New check boxes appear.
Installing SecuRemote
If you configured the Remote Access VPN Server to accept connections from your
internal networks, you must install the SecuRemote VPN Client on internal
network computers that should be allowed to remotely access your network.
To install SecuRemote
1. Click VPN in the main menu, and click the VPN Server tab.
The SecuRemote VPN Server page appears.
2. Click the Download SecuRemote VPN client link.
The VPN-1 SecuRemote for VPN-1 Edge page opens in a new window.
3. Follow the online instructions to complete installation.
SecuRemote is installed.
For information on using SecuRemote, see the User Help. To access
SecuRemote User Help, right-click on the SecuRemote VPN Client icon in the
taskbar, select Settings, and then click Help.
The VPN-1 Edge VPN Site Wizard opens, with the Welcome to the VPN Site Wizard
dialog box displayed.
1. Enter the IP address of the Remote Access VPN Server to which you want to
connect, as given to you by the network administrator.
2. To allow the VPN site to bypass the firewall and access your internal network
without restriction, select the Bypass the firewall check box.
3. Click Next.
4. Specify how you want to obtain the VPN network configuration. Refer to VPN
Network Configuration Fields on page 331.
5. Click Next.
The following things happen in the order below:
• If you chose Specify Configuration, a second VPN Network Configuration
dialog box appears.
1. Complete the fields using the information in VPN Login Fields on page 333.
2. Click Next.
• If you selected Automatic Login, the Connect dialog box appears.
Do the following:
1) To try to connect to the Remote Access VPN Server, select the Try
to Connect to the VPN Gateway check box.
This allows you to test the VPN connection.
Warning: If you try to connect to the VPN site before completing the wizard, all
existing tunnels will be terminated.
2) Click Next.
If you selected Try to Connect to the VPN Gateway, the Connecting…
screen appears, and then the Contacting VPN Site screen appears.
• The Site Name dialog box appears.
5. Click Finish.
The VPN Sites page reappears. If you added a VPN site, the new site appears in
the VPN Sites list. If you edited a VPN site, the modifications are reflected in the
VPN Sites list.
1. To try to connect to the Remote Access VPN Server, select the Try to Connect to
the VPN Gateway check box.
This allows you to test the VPN connection.
Warning: If you try to connect to the VPN site before completing the wizard, all
existing tunnels will be terminated.
2. Click Next.
If you selected Try to Connect to the VPN Gateway, the Connecting… screen
appears, and then the Contacting VPN Site screen appears.
The Site Name dialog box appears.
5. Click Finish.
The VPN Sites page reappears. If you added a VPN site, the new site appears in
the VPN Sites list. If you edited a VPN site, the modifications are reflected in the
VPN Sites list.
3. Click Finish.
The VPN Sites page reappears. If you added a VPN site, the new site appears in
the VPN Sites list. If you edited a VPN site, the modifications are reflected in the
VPN Sites list.
Download Click this option to obtain the network configuration by downloading it from
Configuration the VPN site.
Route All Traffic Click this option to route all network traffic through the VPN site.
Note: You can only configure one VPN site to route all traffic.
Route Based VPN Click this option to create a virtual tunnel interface (VTI) for this site, so
that it can participate in a route-based VPN.
OSPF is enabled using CLI. For information on using CLI, see Controlling
the Appliance via the Command Line on page 400. For information on
the relevant commands for OSPF, refer to the Embedded NGX CLI
Reference Guide.
Destination network Type up to three destination network addresses at the VPN site to which
you want to connect.
Subnet mask Select the subnet masks for the destination network addresses.
Note: Obtain the destination networks and subnet masks from the VPN
site’s system administrator.
Backup Gateway Type the name of the VPN site to use if the primary VPN site fails.
Username and Select this option to use a user name and password for VPN
Password authentication.
In the next step, you can specify whether you want to log on to the VPN
site automatically or manually.
If you select this option, a certificate must have been installed. (Refer to
Installing a Certificate on page 357 for more information about
certificates and instructions on how to install a certificate.)
RSA SecurID Select this option to use an RSA SecurID token for VPN authentication.
Token
When authenticating to the VPN site, you must enter a four-digit PIN code
and the SecurID passcode shown in your SecurID token's display. The
RSA SecurID token generates a new passcode every minute.
Manual Login Click this option to configure the site for Manual Login.
Manual Login connects only the computer you are currently logged onto to
the VPN site, and only when the appropriate user name and password
have been entered. For further information on Automatic and Manual
Login, see, Logging on to a VPN Site on page 353.
Automatic Login Click this option to enable the VPN-1 Edge appliance to log on to the VPN
site automatically.
Automatic Login provides all the computers on your internal network with
constant access to the VPN site. For further information on Automatic and
Manual Login, see Logging on to a VPN Site on page 353.
Username Type the user name to be used for logging on to the VPN site.
Password Type the password to be used for logging on to the VPN site.
1. Complete the fields using the information in VPN Gateway Address Fields on
page 346.
2. Click Next.
The VPN Network Configuration dialog box appears.
3. Specify how you want to obtain the VPN network configuration. Refer to VPN
Network Configuration Fields on page 331.
4. Click Next.
• If you chose Specify Configuration, a second VPN Network Configuration
dialog box appears.
• If you chose Route Based VPN, the Route Based VPN dialog box appears.
Complete the fields using the information in Route Based VPN Fields on
page 347, and then click Next.
• The Authentication Method dialog box appears.
If you chose Download Configuration, the dialog box contains additional fields.
3. Complete the fields using the information in Security Methods Fields on page
348 and click Next.
4. To try to connect to the Remote Access VPN Server, select the Try to Connect to
the VPN Gateway check box.
This allows you to test the VPN connection.
Warning: If you try to connect to the VPN site before completing the wizard, all
existing tunnels will be terminated.
5. Click Next.
• If you selected Try to Connect to the VPN Gateway, the Connecting…
screen appears, and then the Contacting VPN Site screen appears.
• If you selected Keep this site alive, and previously you chose Download
Configuration, the "Keep Alive" Configuration dialog box appears.
Do the following:
1) Type up to three IP addresses which the VPN-1 Edge appliance
should ping in order to keep the tunnel to the VPN site alive.
2) Click Next.
• The VPN Site Created screen appears.
9. Click Finish.
The VPN Sites page reappears. If you added a VPN site, the new site appears in
the VPN Sites list. If you edited a VPN site, the modifications are reflected in the
VPN Sites list.
2. Complete the fields using the information in Security Methods Fields on page
348 and click Next.
The Connect dialog box appears.
3. To try to connect to the Remote Access VPN Server, select the Try to Connect to
the VPN Gateway check box.
Warning: If you try to connect to the VPN site before completing the wizard, all
existing tunnels will be terminated.
4. Click Next.
• If you selected Try to Connect to the VPN Gateway, the following things
happen:
The Connecting… screen appears.
• The Contacting VPN Site screen appears.
• The Site Name dialog box appears.
• If you selected Keep this site alive, and previously you chose Download
Configuration, the "Keep Alive" Configuration dialog box appears.
Do the following:
1) Type up to three IP addresses which the VPN-1 Edge appliance
should ping in order to keep the tunnel to the VPN site alive.
2) Click Next.
• The VPN Site Created screen appears.
8. Click Finish.
The VPN Sites page reappears. If you added a VPN site, the new site appears in
the VPN Sites list. If you edited a VPN site, the modifications are reflected in the
VPN Sites list.
Gateway Address Type the IP address of the Site-to-Site VPN Gateway to which you want
to connect, as given to you by the network administrator.
Bypass NAT Select this option to allow the VPN site to bypass NAT when connecting
to your internal network.
Bypass the Select this option to allow the VPN site to bypass the firewall and access
firewall your internal network without restriction.
Tunnel Local IP Type a local IP address for this end of the VPN tunnel.
Tunnel Remote IP Type the IP address of the remote end of the VPN tunnel.
OSPF Cost Type the cost of this link for dynamic routing purposes.
If OSPF is not enabled, this setting is not used. OSPF is enabled using
the VPN-1 Edge command line interface (CLI). For information on using
CLI, see Controlling the Appliance via the Command Line on page
400. For information on the relevant commands for OSPF, refer to the
Embedded NGX CLI Reference Guide.
Shared Secret Select this option to use a shared secret for VPN authentication.
If you select this option, a certificate must have been installed. (Refer to
Installing a Certificate on page 357 for more information about
certificates and instructions on how to install a certificate.)
Use Shared Type the shared secret to use for secure communications with the VPN
Secret site.
This shared secret is a string used to identify the VPN sites to each other.
The secret can contain spaces and special characters.
Phase 1
Security Methods Select the encryption and integrity algorithm to use for IKE negotiations:
A group with more bits ensures a stronger key but lowers performance.
Renegotiate every Type the interval in minutes between IKE Phase-1 key negotiations. This
is the IKE Phase-1 SA lifetime.
Phase 2
Security Methods Select the encryption and integrity algorithm to use for VPN traffic:
Perfect Forward Specify whether to enable Perfect Forward Secrecy (PFS), by selecting
Secrecy one of the following:
Enabling PFS will generate a new Diffie-Hellman key during IKE Phase 2
and renew the key for each key exchange.
A group with more bits ensures a stronger key but lowers performance.
Renegotiate every Type the interval in seconds between IPSec SA key negotiations. This is
the IKE Phase-2 SA lifetime.
Note: Disabling a VPN site eliminates the tunnel and erases the network topology.
You need to manually log on to Remote Access VPN Servers configured for
Manual Login. You do not need to manually log on to a Remote Access VPN
Server configured for Automatic Login or a Site-to-Site VPN Gateway: all the
computers on your network have constant access to it.
Manual Login can be done through either the VPN-1 Edge Portal or the my.vpn
page. When you log on and traffic is sent to the VPN site, a VPN tunnel is
established. Only the computer from which you logged on can use the tunnel. To
share the tunnel with other computers in your home network, you must log on to
the VPN site from those computers, using the same user name and password.
Note: You must use a single user name and password for each VPN destination
gateway.
Note: You can only login to sites that are configured for Manual Login.
2. From the Site Name list, select the site to which you want to log on.
Note: Disabled VPN sites will not appear in the Site Name list.
• Once the VPN-1 Edge appliance has finished connecting, the VPN Login
Status box appears. The Status field displays “Connected”.
• The VPN Login Status box remains open until you manually log off the
VPN site.
Note: You don’t need to know the my.firewall page administrator’s password in order
to use the my.vpn page.
2. In the Site Name list, select the site to which you want to log on.
3. Enter your user name and password in the appropriate fields.
4. Click Login.
• If the VPN-1 Edge appliance is configured to automatically download the
network configuration, the VPN-1 Edge appliance downloads the network
configuration.
• If when adding the VPN site you specified a network configuration, the
VPN-1 Edge appliance attempts to create a tunnel to the VPN site.
• The VPN Login Status box appears. The Status field tracks the
connection’s progress.
• Once the VPN-1 Edge appliance has finished connecting, the Status field
changes to “Connected”.
• The VPN Login Status box remains open until you manually log off of the
VPN site.
You need to manually log off a VPN site, if it is a Remote Access VPN site
configured for Manual Login.
Note: Closing the browser or dismissing the VPN Login Status box will also terminate
the VPN session within a short time.
Installing a Certificate
Note: To use certificates authentication, each VPN-1 Edge appliance should have a
unique certificate. Do not use the same certificate for more than one gateway.
6. Click Finish.
Gateway Name Type the gateway's name. This name will appear on the certificate, and will
be visible to remote users inspecting the certificate.
Valid Until Use the drop-down lists to specify the month, day, and year when this
certificate should expire.
Importing a Certificate
To install a certificate
1. Click VPN in the main menu, and click the Certificate tab.
The Certificate page appears.
2. Click Install Certificate.
The VPN-1 Edge Certificate Wizard opens, with the Certificate Wizard dialog box
displayed.
3. Click Import a security certificate in PKCS#12 format.
4. Click Browse to open a file browser from which to locate and select the file.
The filename that you selected is displayed.
5. Click Next.
The Import-Certificate Passphrase dialog box appears. This may take a few
moments.
6. Type the pass-phrase you received from the network security administrator.
7. Click Next.
The Done dialog box appears, displaying the certificate's details.
8. Click Finish.
The VPN-1 Edge appliance installs the certificate. If a certificate is already
installed, it is overwritten.
The Certificate Wizard closes.
The Certificates page displays the following information:
• The gateway's certificate
• The gateway's name
• The gateway certificate's fingerprint
• The CA's certificate
• The name of the CA that issued the certificate
• The CA certificate's fingerprint
• The starting and ending dates between which the gateway's certificate and
the CA's certificate are valid
Uninstalling a Certificate
If you uninstall the certificate, no certificate will exist on the VPN-1 Edge
appliance, and you will not be able to connect to the VPN if a certificate is
required.
You cannot uninstall the certificate if there is a VPN site currently defined to use
certificate authentication.
To uninstall a certificate
1. Click VPN in the main menu, and click the Certificate tab.
The Certificate page appears with the name of the currently installed certificate.
2. Click Uninstall.
A confirmation message appears.
3. Click OK.
The certificate is uninstalled.
A success message appears.
4. Click OK.
You can view a list of currently established VPN tunnels. VPN tunnels are created
and closed as follows:
• Remote Access VPN sites configured for Automatic Login and Site-to-Site
VPN Gateways
A tunnel is created whenever your computer attempts any kind of
communication with a computer at the VPN site. The tunnel is closed when not
in use for a period of time.
Note: Although the VPN tunnel is automatically closed, the site remains open, and if
you attempt to communicate with the site, the tunnel will be reestablished.
The VPN Tunnels page includes the information described in the table below.
2. To refresh the table, click Refresh.
Source The IP address or address range of the entity from which the tunnel
originates.
The entity's type is indicated by an icon. See VPN Tunnel Icons on page
367.
Destination The IP address or address range of the entity to which the tunnel is
connected.
The entity's type is indicated by an icon. See VPN Tunnel Icons on page
367.
Security The type of encryption used to secure the connection, and the type of
Message Authentication Code (MAC) used to verify the integrity of the
message. This information is presented in the following format: Encryption
type/Authentication type
Note: All VPN settings are automatically negotiated between the two sites.
The encryption and authentication schemes used for the connection are the
strongest of those used at the two sites.
Your VPN-1 Edge appliance supports AES, 3DES, and DES encryption
schemes, and MD5 and SHA authentication schemes.
hh=hours
mm=minutes
ss=seconds
This gateway
If you are experiencing VPN connection problems, you can save a trace of IKE
(Internet Key Exchange) negotiations to a file, and then use the free IKE View tool
to view the file.
The IKE View tool is available for the Windows platform.
• The VPN-1 Edge appliance stores traces for all recent IKE negotiations.
If you want to view only new IKE trace data, clear all IKE trace data
currently stored on the VPN-1 Edge appliance.
• Close all existing VPN tunnels except for the problematic tunnel, so as
to make it easier to locate the problematic tunnel's IKE negotiation
trace in the exported file.
Chapter 13
Managing Users
This chapter describes how to manage VPN-1 Edge appliance users. You can
define multiple users, set their passwords, and assign them various permissions.
This chapter includes the following topics:
Changing Your Password .........................................................................371
Adding and Editing Users ........................................................................373
Adding Quick Guest HotSpot Users.........................................................377
Viewing and Deleting Users.....................................................................379
Setting Up Remote VPN Access for Users...............................................380
Using RADIUS Authentication ................................................................380
Configuring the RADIUS Vendor-Specific Attribute ..............................385
4. Click Next.
The Set User Permissions dialog box appears.
5. Click Finish.
Your changes are saved.
3. Complete the fields using the information in Set User Details Fields on page
375.
4. Click Next.
The options that appear on the page are dependant on the software and services
you are using.
5. Complete the fields using the information in Set User Permissions Fields on
page 376.
6. Click Finish.
The user is saved.
Password Enter a password for the user. Use five to 25 characters (letters or
numbers) for the new password.
Expires On To specify an expiration time for the user, select this option and specify
the expiration date and time in the fields provided.
When the user account expires, it is locked, and the user can no longer
log on to the VPN-1 Edge appliance.
If you do not select this option, the user will not expire.
Administrator Level Select the user’s level of access to the VPN-1 Edge Portal.
VPN Remote Select this option to allow the user to connect to this VPN-1 Edge
Access appliance using their VPN client.
Web Filtering Select this option to allow the user to override Web Filtering.
Override
This option only appears if the Web Filtering service is defined.
HotSpot Access Select this option to allow the user to log on to the My HotSpot page.
The VPN-1 Edge appliance provides a shortcut for quickly adding a guest HotSpot
user. This is useful in situations where you want to grant temporary network access
to guests, for example in an Internet café. The shortcut also enables printing the
guest user's details in one click.
By default, the quick guest user has the following characteristics:
• Username in the format guest<number>, where <number> is a unique
three-digit number.
For example: guest123
• Randomly generated password
• Expires in 24 hours
• Administration Level: No Access
• Permissions: HotSpot Access only
For information on configuring Secure HotSpot, see Using Secure HotSpot on
page 261.
3. In the Expires field, click on the arrows to specify the expiration date and time.
4. To print the user details, click Print.
5. Click Finish.
The guest user is saved.
You can edit the guest user's details and permissions using the procedure
Adding and Editing Users on page 373.
If you are using your VPN-1 Edge appliance as a Remote Access VPN Server or as
an internal VPN Server, you can allow users to access it remotely through their
Remote Access VPN Clients (a Check Point SecureClient, Check Point
SecuRemote, or another Embedded NGX appliance).
Note: When RADIUS authentication is in use, Remote Access VPN Clients must
have a certificate.
When a user tries to log on to the VPN-1 Edge Portal, the VPN-1 Edge appliance
sends the entered user name and password to the RADIUS server. The server then
checks whether the RADIUS database contains a matching user name and
password pair. If so, then the user is logged on.
5. To use the RADIUS VSA to assign permissions to users, configure the VSA.
See Configuring the RADIUS Vendor-Specific Attribute on page 385.
Address Type the IP address of the computer that will run the RADIUS service
(one of your network computers) or click the corresponding This
Computer button to allow your computer to host the service.
Port Type the port number on the RADIUS server’s host computer.
Shared Secret Type the shared secret to use for secure communication with the
RADIUS server.
Realm If your organization uses RADIUS realms, type the realm to append to
RADIUS requests. The realm will be appended to the username as
follows: <username>@<realm>
For example, if you set the realm to “myrealm”, and the user "JohnS"
attempts to log on to the VPN-1 Edge Portal, the VPN-1 Edge
appliance will send the RADIUS server an authentication request with
the username “JohnS@myrealm”.
RADIUS User If the RADIUS VSA (Vendor-Specific Attribute) is configured for a user,
Permissions the fields in this area will have no effect, and the user will be granted
the permissions specified in the VSA.
If the VSA is not configured for the user, the permissions configured in
this area will be used.
Administrator Level Select the level of access to the VPN-1 Edge Portal to assign to all
users authenticated by the RADIUS server.
Web Filtering Select this option to allow all users authenticated by the RADIUS server
Override to override Web Filtering.
HotSpot Access Select this option to allow the user to access the My HotSpot page.
For detailed instructions and examples, refer to the "Configuring the RADIUS
Vendor-Specific Attribute" white paper.
VPN Indicates whether 2 String true. The user can This permission
the user can remotely access is only relevant if
access the the network via the VPN-1 Edge
network from a VPN. Remote Access
Remote Access VPN Server is
false. The user
VPN Client. enabled. The
cannot remotely
gateway must
access the
have a
network via VPN.
certificate.
Hotspot Indicates whether 3 String true. The user can This permission
the user can log access the Internet is only relevant if
on via the My via My HotSpot. the Secure
HotSpot page. HotSpot feature
false. The user
is enabled.
cannot access the
Internet via My
HotSpot.
UFP Indicates whether 4 String true. The user can This permission is
the user can override Web only relevant if
override Web Filtering. the Web Filtering
Filtering. service is
false. The user
enabled.
cannot override
Web Filtering.
Chapter 14
Maintenance
This chapter describes the tasks required for maintenance and diagnosis of your
VPN-1 Edge appliance.
This chapter includes the following topics:
Viewing Firmware Status .........................................................................389
Updating the Firmware.............................................................................391
Upgrading Your Software Product ...........................................................393
Registering Your VPN-1 Edge Appliance................................................397
Configuring Syslog Logging ....................................................................398
Controlling the Appliance via the Command Line ...................................400
Configuring HTTPS .................................................................................404
Configuring SSH ......................................................................................406
Configuring SNMP...................................................................................408
Setting the Time on the Appliance ...........................................................411
Using Diagnostic Tools ............................................................................415
Backing Up the VPN-1 Edge Appliance Configuration ...........................429
Resetting the VPN-1 Edge Appliance to Defaults....................................432
Running Diagnostics ................................................................................435
Rebooting the VPN-1 Edge Appliance.....................................................436
The firmware is the software program embedded in the VPN-1 Edge appliance.
You can view your current firmware version and additional details.
• Click Setup in the main menu, and click the Firmware tab.
The Firmware page appears.
Installed Product The licensed software and VPN-1 Edge X unlimited nodes
the number of allowed
nodes
3. Click Browse.
A browse window appears.
4. Select the image file and click Open.
The Firmware Update page reappears. The path to the firmware update image file
appears in the Browse text box.
5. Click Upload.
Your VPN-1 Edge appliance firmware is updated.
Updating may take a few minutes, during which time the PWR/SEC LED may
start flashing red or orange. Do not power off the appliance.
At the end of the process the VPN-1 Edge appliance restarts automatically.
You can upgrade the VPN-1 Edge product installed on your appliance, by
purchasing a new license. You will receive a new Product Key that enables you to
use advanced features on the same VPN-1 Edge appliance you have today. There is
no need to replace your hardware. You can also purchase node upgrades, as
needed.
For example, if you have VPN-1 Edge X16 and you need secure Internet access for
more than 16 computers, you can upgrade to VPN-1 Edge X32 without changing
your hardware.
Note: You can only upgrade within the same appliance hardware
type.
To upgrade your product, you must install the new Product Key.
The VPN-1 Edge Licensing Wizard opens, with the Install Product Key dialog box
displayed.
6. Click Next.
8. Click Finish.
Your VPN-1 Edge appliance is restarted and the Welcome page appears.
If you want to activate your warranty and optionally receive notifications of new
firmware versions and services, you must register your VPN-1 Edge appliance.
Privacy Statement: Check Point is committed to protecting your privacy. We use
the information we collect about you to process orders and to improve our ability to
serve your needs. We will under no circumstances sell, lease, or otherwise disclose
any of your personal or contact details without your explicit permission.
9. Click Next.
The Registration… screen appears.
The third Registration dialog box appears.
10. Click Finish.
Your VPN-1 Edge appliance is restarted and the Welcome page appears.
You can configure the VPN-1 Edge appliance to send event logs to a Syslog server
residing in your internal network or on the Internet. The logs detail the date and the
time each event occurred. If the event is a communication attempt that was rejected
by the firewall, the event details include the source and destination IP address, the
destination port, and the protocol used for the communication attempt (for
example, TCP or UDP).
This same information is also available in the Event Log page (see Viewing the
Event Log on page 189). However, while the Event Log can display hundreds of
logs, a Syslog server can store an unlimited number of logs. Furthermore, Syslog
servers can provide useful tools for managing your logs.
Syslog Server Type the IP address of the computer that will run the Syslog service
(one of your network computers), or click This Computer to allow your
computer to host the service.
Default Click to reset the Syslog Port field to the default (port 514 UDP).
Depending on your VPN-1 Edge model, you can control your appliance via the
command line in the following ways:
• Using the VPN-1 Edge Portal's command line interface.
See Using the VPN-1 Edge Portal on page 400.
• Using a console connected to the VPN-1 Edge appliance.
For information, see Using the Serial Console on page 402.
• Using an SSH client.
See Configuring SSH on page 406.
You can control your appliance via the VPN-1 Edge Portal's command line
interface.
2. Click Command.
The Command Line page appears.
You can connect a console to the VPN-1 Edge appliance, and use the console to
control the appliance via the command line.
Note: Your terminal emulation software must be set to 57600 bps, N-8-1.
Configuring HTTPS
You can enable VPN-1 Edge appliance users to access the VPN-1 Edge Portal from
the Internet. To do so, you must first configure HTTPS.
To configure HTTPS
1. Click Setup in the main menu, and click the Management tab.
The Management page appears.
2. Specify from where HTTPS access to the VPN-1 Edge Portal should be granted.
See Access Options on page 405 for information.
Warning: If remote HTTPS is enabled, your VPN-1 Edge appliance settings can be
changed remotely, so it is especially important to make sure all VPN-1 Edge
appliance users’ passwords are difficult to guess.
Note: You can use HTTPS to access the VPN-1 Edge Portal from your internal
network, by surfing to https://my.firewall.
3. If you selected IP Address Range, enter the desired IP address range in the fields
provided.
4. Click Apply.
The HTTPS configuration is saved. If you configured remote HTTPS, you can
now access the VPN-1 Edge Portal through the Internet, using the procedure
Accessing the VPN-1 Edge Portal Remotely on page 46.
Additional fields appear, in which you can enter the desired IP address
range.
Disabled Nowhere.
Configuring SSH
VPN-1 Edge appliance users can control the appliance via the command line, using
the SSH (Secure Shell) management protocol. You can enable users to do so via
the Internet, by configuring remote SSH access. You can also integrate the VPN-1
Edge appliance with SSH-based management systems.
Note: The VPN-1 Edge appliance supports SSHv2 clients only. The SSHv1 protocol
contains security vulnerabilities and is not supported.
To configure SSH
1. Click Setup in the main menu, and click the Management tab.
The Management page appears.
2. Specify from where SSH access should be granted.
Warning: If remote SSH is enabled, your VPN-1 Edge appliance settings can be
changed remotely, so it is especially important to make sure all VPN-1 Edge
appliance users’ passwords are difficult to guess.
3. If you selected IP Address Range, enter the desired IP address range in the fields
provided.
4. Click Apply.
The SSH configuration is saved. If you configured remote SSH access, you can
now control the VPN-1 Edge appliance from the Internet, using an SSHv2
client.
For information on all supported commands, refer to the Embedded NGX CLI
Reference Guide.
Configuring SNMP
The VPN-1 Edge appliance users can monitor the VPN-1 Edge appliance, using
tools that support SNMP (Simple Network Management Protocol). You can enable
users can do so via the Internet, by configuring remote SNMP access.
The VPN-1 Edge appliance supports the following SNMP MIBs:
• SNMPv2-MIB
• RFC1213-MIB
• IF-MIB
• IP-MIB
All SNMP access is read-only.
To configure SNMP
1. Click Setup in the main menu, and click the Management tab.
The Management page appears.
2. Specify from where SNMP access should be granted.
See Access Options on page 405 for information.
If you selected IP Address Range, additional fields appear.
3. If you selected IP Address Range, enter the desired IP address range in the fields
provided.
4. In the Community field, type the name of the SNMP community string.
SNMP clients uses the SNMP community string as a password, when
connecting to the VPN-1 Edge appliance.
The default value is "public". It is recommended to change this string.
5. To configure advanced SNMP settings, click Advanced.
You set the time displayed in the VPN-1 Edge Portal during initial appliance setup.
If desired, you can change the date and time using the procedure below.
3. Complete the fields using the information in Set Time Wizard Fields on page
414.
4. Click Next.
The following things happen in the order below:
• If you selected Specify date and time, the Specify Date and Time dialog
box appears.
Set the date, time, and time zone in the fields provided, then click Next.
• If you selected Use a Time Server, the Time Servers dialog box appears.
Complete the fields using the information in Time Servers Fields on page
414, then click Next.
• The Date and Time Updated screen appears.
5. Click Finish.
Your computer's clock Set the appliance time to your computer’s system time.
Use a Time Server Synchronize the appliance time with a Network Time Protocol
(NTP) server.
Specify date and time Set the appliance to a specific date and time.
Select your time zone Select the time zone in which you are located.
The VPN-1 Edge appliance is equipped with a set of diagnostic tools that are useful
for troubleshooting Internet connectivity.
Ping Check that a specific IP address or DNS Using IP Tools on page 416
name can be reached via the Internet.
Traceroute Display a list of all routers used to Using IP Tools on page 416
connect from the VPN-1 Edge appliance
to a specific IP address or DNS name.
WHOIS Display the name and contact information Using IP Tools on page 416
of the entity to which a specific IP address
or DNS name is registered. This
information is useful in tracking down
hackers.
Packet Sniffer Capture network traffic. This information is Using Packet Sniffer on page
useful troubleshooting network problems. 418
Using IP Tools
To use an IP tool
1. Click Setup in the main menu, and click the Tools tab.
The Tools page appears.
2. In the IP Tools drop-down list, select the desired tool.
3. In the Address field, type the IP address or DNS name for which to run the tool.
4. Click Go.
• If you selected Ping, the following things happen:
The VPN-1 Edge appliance sends packets to the specified the IP address or
DNS name.
The IP Tools window opens and displays the percentage of packet loss and
the amount of time it each packet took to reach the specified host and return
(round-trip) in milliseconds.
The VPN-1 Edge appliance includes the Packet Sniffer tool, which enables you to
capture packets from any internal network or VPN-1 Edge port. This is useful for
troubleshooting network problems and for collecting data about network behavior.
The VPN-1 Edge appliance saves the captured packets to a file on your computer.
You can use a free protocol analyzer, such as Ethereal, to analyze the file, or you
can send it to technical support. Ethereal runs on all popular computing platforms
and can be downloaded from http://www.ethereal.com.
The Packet Sniffer window displays the name of the interface, the number of
packets collected, and the percentage of storage space remaining on the
appliance for storing the packets.
The list includes the primary Internet connection, the VPN-1 Edge
appliance ports, and all defined networks.
Filter String Type the filter string to use for filtering the captured packets. Only
packets that match the filter condition will be saved.
For a list of basic filter strings elements, see Filter String Syntax on
page 421.
If you do not specify a filter string, Packet Sniffer will save all packets on
the selected interface.
Capture only traffic Select this option to capture incoming and outgoing packets for this
to/from this gateway gateway only.
If this option is not selected, Packet Sniffer will collect packets for all
traffic on the interface.
and
PURPOSE
The and element is used to concatenate filter string elements. The filtered packets
must match all concatenated filter string elements.
SYNTAX
element and element [and element...]
element && element [&& element...]
PARAMETERS
EXAMPLE
The following filter string saves packets that both originate from IP address is
192.168.10.1 and are destined for port 80:
src 192.168.10.1 and dst port 80
dst
PURPOSE
The dst element captures all packets with a specific destination.
SYNTAX
dst destination
PARAMETERS
• An IP address
• A host name
EXAMPLE
The following filter string saves packets that are destined for the IP address
192.168.10.1:
dst 192.168.10.1
dst port
PURPOSE
The dst port element captures all packets destined for a specific port.
SYNTAX
dst port port
Note: This element can be prepended by tcp or udp. For information, see tcp on
page 427 and udp on page 428.
PARAMETERS
EXAMPLE
The following filter string saves packets that are destined for port 80:
dst port 80
ether proto
PURPOSE
The ether proto element is used to capture packets of a specific ether protocol
type.
SYNTAX
ether proto \protocol
PARAMETERS
host
PURPOSE
The host element captures all incoming and outgoing packets for a specific
computer.
SYNTAX
host host
PARAMETERS
• An IP address
• A host name
EXAMPLE
The following filter string saves all packets that either originated from IP address
192.168.10.1, or are destined for that same IP address:
host 192.168.10.1
not
PURPOSE
The not element is used to negate filter string elements.
SYNTAX
not element
! element
PARAMETERS
EXAMPLE
The following filter string saves packets that are not destined for port 80:
not dst port 80
or
PURPOSE
The or element is used to alternate between string elements. The filtered packets
must match at least one of the filter string elements.
SYNTAX
element or element [or element...]
element || element [|| element...]
PARAMETERS
EXAMPLE
The following filter string saves packets that either originate from IP address
192.168.10.1 or IP address 192.168.10.10:
src 192.168.10.1 or src 192.168.10.10
port
PURPOSE
The port element captures all packets originating from or destined for a specific
port.
SYNTAX
port port
Note: This element can be prepended by tcp or udp. For information, see tcp on
page 427 and udp on page 428.
PARAMETERS
EXAMPLE
The following filter string saves all packets that either originated from port 80, or
are destined for port 80:
port 80
src
PURPOSE
The src element captures all packets with a specific source.
SYNTAX
src source
PARAMETERS
• An IP address
• A host name
EXAMPLE
The following filter string saves packets that originated from IP address
192.168.10.1:
src 192.168.10.1
src port
PURPOSE
The src port element captures all packets originating from a specific port.
SYNTAX
src port port
Note: This element can be prepended by tcp or udp. For information, see tcp on
page 427 and udp on page 428.
PARAMETERS
EXAMPLE
The following filter string saves packets that originated from port 80:
src port 80
tcp
PURPOSE
The tcp element captures all TCP packets. This element can be prepended to port-
related elements.
Note: When not prepended to other elements, the tcp element is the equivalent of
ip proto tcp.
SYNTAX
tcp
tcp element
PARAMETERS
EXAMPLE 1
The following filter string captures all TCP packets:
tcp
EXAMPLE 2
The following filter string captures all TCP packets destined for port 80:
tcp dst port 80
udp
PURPOSE
The udp element captures all UDP packets. This element can be prepended to port-
related elements.
Note: When not prepended to other elements, the udp element is the equivalent of
ip proto udp.
SYNTAX
udp
udp element
PARAMETERS
udp
EXAMPLE 2
The following filter string captures all UDP packets destined for port 80:
udp dst port 80
You can export the VPN-1 Edge appliance configuration to a *.cfg file, and use
this file to backup and restore VPN-1 Edge appliance settings, as needed. The file
includes all your settings.
The configuration file is saved as a textual CLI script. If desired, you can edit the
file. For a full explanation of the CLI script format and the supported CLI
commands, see the Embedded NGX CLI Reference Guide.
You can reset the VPN-1 Edge appliance to its default settings. When you reset
your VPN-1 Edge appliance, it reverts to the state it was originally in when you
purchased it. You can choose to keep the current firmware or to revert to the
firmware version that shipped with the VPN-1 Edge appliance.
Warning: This operation erases all your settings and password information. You will
have to set a new password and reconfigure your VPN-1 Edge appliance for Internet
connection. For information on performing these tasks, see Setting Up the VPN-1
Edge Appliance.
You can reset the VPN-1 Edge appliance to defaults via the Web management
interface (software) or by manually pressing the Reset button (hardware) located at
the back of the VPN-1 Edge appliance.
To reset the VPN-1 Edge appliance to factory defaults via the Web interface
1. Click Setup in the main menu, and click the Tools tab.
The Tools page appears.
2. Click Factory Settings.
3. To revert to the firmware version that shipped with the appliance, select the
check box.
4. Click OK.
• The Please Wait screen appears.
To reset the VPN-1 Edge appliance to factory defaults using the Reset button
1. Make sure the VPN-1 Edge appliance is powered on.
2. Using a pointed object, press the RESET button on the back of the VPN-1 Edge
appliance steadily for seven seconds and then release it.
3. Allow the VPN-1 Edge appliance to boot-up until the system is ready
(PWR/SEC LED flashes slowly or illuminates steadily in green light).
For information on the appliance's front and rear panels, see the relevant Getting
to Know Your Appliance section in Introduction on page 1.
Warning: If you choose to reset the VPN-1 Edge appliance by disconnecting the
power cable and then reconnecting it, be sure to leave the VPN-1 Edge appliance
disconnected for at least three seconds, or the VPN-1 Edge appliance might not
function properly until you reboot it as described below.
Running Diagnostics
You can view technical information about your VPN-1 Edge appliance’s hardware,
firmware, license, network status, and Service Center.
This information is useful for troubleshooting. You can export it to an *.html file
and send it to technical support.
If your VPN-1 Edge appliance is not functioning properly, rebooting it may solve
the problem.
Chapter 15
Overview
The VPN-1 Edge W series includes a built-in print server, enabling you to connect
USB-based printers to the appliance and share them across the network.
Note: When using computers with a Windows 2000/XP operating system, the VPN-1
Edge appliance supports connecting up to four USB-based printers to the
appliance. When using computers with a MAC OS-X operating system, the VPN-1
Edge appliance supports connecting one printer.
The appliance automatically detects printers as they are plugged in, and they
immediately become available for printing. Usually, no special configuration is
required on the VPN-1 Edge appliance.
Note: The VPN-1 Edge print server supports printing via "all-in-one" printers.
Copying and scanning functions are not supported.
4. If the printer is not listed, check that you connected the printer correctly, then
click Refresh to refresh the page.
5. Write down the port number allocated to the printer.
The port number appears in the Printer Server TCP Port field. You will need this
number later, when configuring computers to use the network printer.
6. To change the port number, do the following:
a. Type the desired port number in the Printer Server TCP Port field.
Note: Printer port numbers may not overlap, and must be high ports.
b. Click Apply.
You may want to change the port number if, for example, the printer you are
setting up is intended to replace another printer. In this case, you should change
the replacement printer's port number to the old printer's port number, and you
can skip the next step.
7. Configure each computer from which you want to enable printing to the network
printer.
See Configuring Computers to Use Network Printers on page 439.
Perform the relevant procedure on each computer from which you want to enable
printing via the VPN-1 Edge print server to a network printer.
Windows 2000/XP
This procedure is relevant for computers with a Windows 2000/XP operating
system.
5. Click Next.
The Local or Network Printer dialog box appears.
Note: Do not select the Automatically detect and install my Plug and Play printer check
box.
7. Click Next.
The Select a Printer Port dialog box appears.
12. In the Printer Name or IP Address field, type the VPN-1 Edge appliance's
LAN IP address, or "my.firewall".
You can find the LAN IP address in the VPN-1 Edge Portal, under Network > My
Network.
The Port Name field is filled in automatically.
13. Click Next.
The Add Standard TCP/IP Printer Port Wizard opens, with the Additional Port
Information Required dialog box displayed.
16. In the Port Number field, type the printer's port number, as shown in the
Printers page.
17. In the Protocol area, make sure that Raw is selected.
18. Click OK.
The Add Standard TCP/IP Printer Port Wizard reappears.
19. Click Next.
The Completing the Add Standard TCP/IP Printer Port Wizard dialog box appears.
The Add Printer Wizard reappears, with the Install Printer Software dialog box
displayed.
MAC OS-X
This procedure is relevant for computers with the latest version of the MAC OS-X
operating system.
Note: This procedure may not apply to earlier MAC OS-X versions.
6. Click Add.
New fields appear.
11. In the Printer Model list, select the desired printer type.
A list of models appears.
14. In the Printer List window, select the newly added printer, and click Make
Default.
When you set up a new network printer, the VPN-1 Edge appliance automatically
assigns a port number to the printer. If you want to use a different port number, you
can easily change it, as described in Setting up Network Printers on page 438.
However, you may sometimes need to change the port number after completing
printer setup. For example, you may want to replace a malfunctioning network
printer, with another existing network printer, without reconfiguring the client
computers. To do this, you must change the replacement printer's port number to
the malfunctioning printer's port number, as described below.
Note: Each printer port number must be different, and must be a high port.
You can cause a network printer to restart the current print job, by resetting the
network printer. You may want to do this if the print job has stalled.
Chapter 16
Troubleshooting
This chapter provides solutions to common problems you may encounter while
using the VPN-1 Edge appliance.
Connectivity
I cannot access the Internet. What should I do?
• Check if the PWR/SEC LED is green. If not, check the power connection
to the VPN-1 Edge appliance.
• Check if the WAN LINK/ACT LED is green. If not, check the network
cable to the modem and make sure the modem is turned on.
• Check if the LAN LINK/ACT LED for the port used by your computer is
green. If not, check if the network cable linking your computer to the
VPN-1 Edge appliance is connected properly. Try replacing the cable or
connecting it to a different LAN port.
• Using your Web browser, go to http://my.firewall and see whether
"Connected" appears on the Status Bar. Make sure that your VPN-1 Edge
appliance network settings are configured as per your ISP directions.
• Check your TCP/IP configuration according to Installing and Setting up
the VPN-1 Edge Appliance on page 17.
• If Web Filtering or Email Filtering are on, try turning them off.
• Check if you have defined firewall rules which block your Internet
connectivity.
• Check with your ISP for possible service outage.
• Check whether you are exceeding the maximum number of computers
allowed by your license, by viewing the Active Computers page.
I cannot access my DSL broadband connection. What should I do?
DSL equipment comes in two flavors: bridges (commonly known as DSL modems)
and routers. Some DSL equipment can be configured to work both ways.
• If you connect to your ISP using a PPPoE or PPTP dialer defined in your
operating system, your equipment is most likely configured as a DSL
bridge. Configure a PPPoE or PPTP type DSL connection.
• If you were not instructed to configure a dialer in your operating system,
your equipment is most likely configured as a DSL router. Configure a
LAN connection, even if you are using a DSL connection.
For instructions, see Configuring the Internet Connection on page 55.
I cannot access my Cable broadband connection. What should I do?
• Some cable ISPs require you to register the MAC address of the device
behind the cable modem. You may need to clone your Ethernet adapter
MAC address onto the VPN-1 Edge appliance. For instructions, see
Configuring the Internet Connection on page 55.
• Some cable ISPs require using a hostname for the connection. Try
reconfiguring your Internet connection and specifying a hostname. For
further information, see Configuring the Internet Connection on page 55.
I cannot access http://my.firewall or http://my.vpn. What should I do?
• Verify that the VPN-1 Edge appliance is operating (PWR/SEC LED is
active)
• Check if the LAN LINK/ACT LED for the port used by your computer is
on. If not, check if the network cable linking your computer to the VPN-1
Edge appliance is connected properly.
Note: You may need to use a crossed cable when connecting the VPN-1 Edge
appliance to another hub/switch.
Note: 192.168.10 is the default value, and it may vary if you changed it in the My
Network page.
• Consider whether you really need the router. The VPN-1 Edge appliance
can be used as a replacement for your router, unless you need it for some
additional functionality that it provides, such as Wireless access.
• If possible, disable NAT in the router. Refer to the router’s documentation
for instructions on how to do this.
• If the router has a “DMZ Computer” or “Exposed Host” option, set it to the
VPN-1 Edge appliance’s external IP address.
• Open the following ports in the NAT device:
• UDP 9281/9282
• UDP 500
• TCP 256
• TCP 264
• ESP IP protocol 50
• TCP 981
I cannot receive audio or video calls through the VPN-1 Edge appliance. What should I do?
To enable audio/video, you must configure an IP Telephony (H.323) virtual server.
For instructions, see Configuring Servers on page 210.
I run a public Web server at home but it cannot be accessed from the Internet. What should I
do?
Configure a virtual Web Server. For instructions, see Configuring Servers on page
210.
I cannot connect to the LAN network from the DMZ network. What should I do?
By default, connections from the DMZ network to the LAN network are blocked.
To allow traffic from the DMZ to the LAN, configure appropriate firewall rules.
For instructions, see Using Rules on page 212.
Other Problems
I have forgotten my password. What should I do?
Reset your VPN-1 Edge appliance to factory defaults using the Reset button as
detailed in Resetting the VPN-1 Edge Appliance to Defaults on page 432.
Why are the date and time displayed incorrectly?
You can adjust the time on the Setup page's Tools tab. For information, see Setting
the Time on the Appliance on page 411.
I cannot use a certain network application. What should I do?
Look at the Event Log page. If it lists blocked attacks, do the following:
• Set the VPN-1 Edge appliance's firewall level to Low and try again.
• If the application still does not work, set the computer on which you want
to use the application to be the exposed host.
For instructions, see Defining an Exposed Host on page 266.
When you have finished using the application, make sure to clear the exposed host
setting, otherwise your security might be compromised.
Chapter 17
Specifications
This chapter includes the following topics:
Technical Specifications.......................................................................... 459
CE Declaration of Conformity................................................................. 462
Federal Communications Commission Radio Frequency Interference
Statement ................................................................................................. 464
Technical Specifications
Table 86: VPN-1 Edge Appliance Attributes
General
Power supply nominal US Model: 90~132 VAC, All Models: 100~240VAC, 50~60Hz
input voltage, 50~60Hz
frequency
Japan Model: 100VAC,
50~60Hz
Power supply nominal All Models: 9VAC, 1.5A All Models: 5VDC, 3A
output voltage
Environmental Conditions
Applicable Standards
Shock & Vibration ETSI 300 019-2-3 CLASS 3.1 & CNS1219 C6343
Bellcore GR 63 (NEBS)
TL9000-HW R3.0
ISO14001
Ohsas18001:
1999
Wireless
CE Declaration of Conformity
SofaWare Technologies Ltd., 3 Hilazon St., Ramat-Gan Israel, Hereby declares
that this equipment is in conformity with the essential requirements specified in
Article 3.1 (a) and 3.1 (b) of:
• Directive 89/336/EEC (EMC Directive)
• Directive 73/23/EEC (Low Voltage Directive – LVD)
• Directive 99/05/EEC (Radio Equipment and Telecommunications
Terminal Equipment Directive)
In accordance with the following standards:
EN 61000-4-2:1995 EN 61000-6-3:2001
EN 61000-4-3:1995 EN 55022:1998
EN 61000-4-4:1995 EN 55024:1998
EN 61000-4-8:1993 EN 61000-4-2:1995
EN 61000-4-11:1994 EN 61000-4-3:1996/A2:2001
ENV50204:1995 EN 61000-4-4:1995
EN 61000-4-5:1995
EN 61000-4-6:1996
EN 61000-4-7:1993
EN 61000-4-8:1993
EN 61000-4-9:1993
EN 61000-4-10:1993
EN 61000-4-11:1994
EN 61000-4-12:1995
Glossary of Terms
A network. Cable modems offer a
high-speed 'always-on' connection.
ADSL Modem
A device connecting a computer to Certificate Authority
the Internet via an existing phone The Certificate Authority (CA)
line. ADSL (Asymmetric Digital issues certificates to entities such as
Subscriber Line) modems offer a gateways, users, or computers. The
high-speed 'always-on' connection. entity later uses the certificate to
identify itself and provide verifiable
C information. For instance, the
CA certificate includes the Distinguished
The Certificate Authority (CA) Name (DN) (identifying
issues certificates to entities such as information) of the entity, as well as
gateways, users, or computers. The the public key (information about
entity later uses the certificate to itself), and possibly the IP address.
identify itself and provide verifiable
information. For instance, the After two entities exchange and
certificate includes the Distinguished validate each other's certificates,
Name (DN) (identifying they can begin encrypting
information) of the entity, as well as information between themselves
the public key (information about using the public keys in the
itself), and possibly the IP address. certificates.
IPSEC MTU
IPSEC is the leading Virtual Private The Maximum Transmission Unit
Networking (VPN) standard. IPSEC (MTU) is a parameter that
enables individuals or offices to determines the largest datagram than
establish secure communication can be transmitted by an IP interface
channels ('tunnels') over the Internet. (without it needing to be broken
down into smaller units). The MTU
ISP should be larger than the largest
An ISP (Internet service provider) is datagram you wish to transmit un-
a company that provides access to fragmented. Note: This only
the Internet and other related prevents fragmentation locally.
services. Some other link in the path may
have a smaller MTU - the datagram
L will be fragmented at that point.
LAN Typical values are 1500 bytes for an
A local area network (LAN) is a Ethernet interface or 1452 for a PPP
group of computers and associated interface.
devices that share a common
communications line and typically N
share the resources of a single server NAT
within a small geographic area. Network Address Translation (NAT)
is the translation or mapping of an IP
M address to a different IP address.
MAC Address NAT can be used to map several
The MAC (Media Access Control) internal IP addresses to a single IP
address is a computer's unique address, thereby sharing a single IP
hardware number. When connected address assigned by the ISP among
to the Internet from your computer, a several PCs.
mapping relates your IP address to
your computer's physical (MAC) Check Point FireWall-1's Stateful
address on the LAN. Inspection Network Address
Translation (NAT) implementation
Mbps supports hundreds of pre-defined
Megabits per second. Measurement applications, services, and protocols,
unit for the rate of data transmission. more than any other firewall vendor.
NetBIOS PPTP
NetBIOS is the networking protocol The Point-to-Point Tunneling
used by DOS and Windows Protocol (PPTP) allows extending a
machines. local network by establishing private
“tunnels” over the Internet. This
P protocol it is also used by some DSL
Packet providers as an alternative for
A packet is the basic unit of data that PPPoE.
flows from one source on the
Internet to another destination on the R
Internet. When any file (e-mail RJ-45
message, HTML file, GIF file etc.) is The RJ-45 is a connector for digital
sent from one place to another on the transmission over ordinary phone
Internet, the file is divided into wire.
"chunks" of an efficient size for
routing. Each of these packets is Router
separately numbered and includes A router is a device that determines
the Internet address of the the next network point to which a
destination. The individual packets packet should be forwarded toward
for a given file may travel different its destination. The router is
routes through the Internet. When connected to at least two networks.
they have all arrived, they are
reassembled into the original file at
S
the receiving end. Server
A server is a program (or host) that
PPPoE awaits and requests from client
PPPoE (Point-to-Point Protocol over programs across the network. For
Ethernet) enables connecting example, a Web server is the
multiple computer users on an computer program, running on a
Ethernet local area network to a specific host, that serves requested
remote site or ISP, through common HTML pages or files. Your browser
customer premises equipment (e.g. is the client program, in this case.
modem).
Stateful Inspection
Stateful Inspection was invented by
Check Point to provide the highest
level of security by examining every divides the file into one or more
layer within a packet, unlike other packets, numbers the packets, and
systems of inspection. Stateful then forwards them individually to
Inspection extracts information the IP program layer. Although each
required for security decisions from packet has the same destination IP
all application layers and retains this address, it may get routed differently
information in dynamic state tables through the network.
for evaluating subsequent connection At the other end (the client program
attempts. In other words, it learns!
in your computer), TCP reassembles
Subnet Mask the individual packets and waits until
A 32-bit identifier indicating how they have arrived to forward them to
the network is split into subnets. The you as a single file.
subnet mask indicates which part of
TCP/IP
the IP address is the host ID and TCP/IP (Transmission Control
which indicates the subnet.
Protocol/Internet Protocol) is the
T underlying communication protocol
of the Internet.
TCP
TCP (Transmission Control U
Protocol) is a set of rules (protocol)
UDP
used along with the Internet Protocol UDP (User Datagram Protocol) is a
(IP) to send data in the form of communications protocol that offers
message units between computers a limited amount of service when
over the Internet. While IP takes care messages are exchanged between
of handling the actual delivery of the computers in a network that uses the
data, TCP takes care of keeping Internet Protocol (IP). UDP is an
track of the individual units of data alternative to the Transmission
(called packets) that a message is Control Protocol (TCP) and, together
divided into for efficient routing with IP, is sometimes referred to as
through the Internet. UDP/IP. Like the Transmission
For example, when an HTML file is Control Protocol, UDP uses the
sent to you from a Web server, the Internet Protocol to actually get a
Transmission Control Protocol data unit (called a datagram) from
(TCP) program layer in that server one computer to another. Unlike
URL
A URL (Uniform Resource Locator)
is the address of a file (resource)
accessible on the Internet. The type
of resource depends on the Internet
application protocol. On the Web
(which uses the Hypertext Transfer
Protocol), an example of a URL is
'http://www.sofaware.com'.
V
VPN
A virtual private network (VPN) is a
private data network that makes use
of the public telecommunication
infrastructure, maintaining privacy
through the use of a tunneling
protocol and security procedures.
VPN tunnel
A secure connection between a
Remote Access VPN Client and a
Remote Access VPN Server.
Index
cable type • 37
8
certificate
802.1x • 163, 165
explained • 357
A generating self-signed • 358
account, configuring • 294 importing • 362
active computers, viewing • 196 installing • 357
active connections, viewing • 199 uninstalling • 364
Allow and Forward rules, explained • 216 Cisco IOS DOS • 240
Allow rules, explained • 216 command line interface
Automatic login • 353 controlling the appliance via • 400
B D
backup connection DHCP
configuring • 92 configuring • 96
dialup • 93 explained • 466
LAN or broadband • 92 options • 103
Block Known Ports • 250 DHCP Server
Block Port Overflow • 251 enabling/disabling • 96
Block rules, explained • 216 explained • 96
Blocked FTP Commands • 253 diagnostic tools
Packet Sniffer • 418
C
Ping • 415
CA, explained • 357, 465
Traceroute • 415
cable modem
using • 415
connection • 60, 68
WHOIS • 415
explained • 465
Index 473
Index
diagnostics • 435 F
dialup File and Print Sharing • 254
connection • 76, 93 firewall
modem • 85 levels • 207
dialup modem, setting up • 85 rule types • 214
DMZ setting security level • 207
configuring • 109 firmware
configuring High Availability for • 121 explained • 389, 466
explained • 109, 466 updating manually • 391
DNS • 92, 415, 466 viewing status • 389
Dynamic DNS • 6, 287, 293 FTP Bounce • 249
E G
Email Antispam, see Email Filtering • 300 gateways
Email Antivirus, see Email Filtering • 300 backup • 121
Email Filtering default • 109, 121, 140
Email Antispam • 300 explained • 466
Email Antivirus • 300 ID • 293
enabling/disabling • 301 master • 121
selecting protocols for • 302 Site-to-Site VPN • 308
snoozing • 302
H
temporarily disabling • 302
Hide NAT
event log, viewing • 189
enabling/disabling • 108
exposed host
explained • 108, 468
defining a computer as • 266
high availability
explained • 266, 466
configuring • 121
explained • 121
Index 475
Index
Index 477
Index
Index 479
Index
Index 481